Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002A_134.exe

Overview

General Information

Sample name:LisectAVT_2403002A_134.exe
Analysis ID:1482508
MD5:d1294dbd0e36820875022093a0d469d8
SHA1:f258083bf53ea6c32a6a3abf1244fd6470b6b4c1
SHA256:a18411c60fb9f8f02d82b6d74662d7bef6798ba8119c9072b6c25ab29887f906
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002A_134.exe (PID: 4428 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_134.exe" MD5: D1294DBD0E36820875022093A0D469D8)
    • LisectAVT_2403002A_134.exe (PID: 6160 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_134.exe" MD5: D1294DBD0E36820875022093A0D469D8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admin@normagroup.com.tr", "Password": "Kingdom12345@"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4490186653.0000000002E1E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.4486327299.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.4486327299.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.4490186653.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.4490186653.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.LisectAVT_2403002A_134.exe.3dbb680.9.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.LisectAVT_2403002A_134.exe.3dbb680.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.LisectAVT_2403002A_134.exe.3dbb680.9.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3125f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x312d1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3135b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x313ed:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x31457:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x314c9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3155f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x315ef:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.LisectAVT_2403002A_134.exe.3dbb680.9.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x2e7b3:$s2: GetPrivateProfileString
                • 0x2deb8:$s3: get_OSFullName
                • 0x2f4f9:$s5: remove_Key
                • 0x2f682:$s5: remove_Key
                • 0x30518:$s6: FtpWebRequest
                • 0x31241:$s7: logins
                • 0x317b3:$s7: logins
                • 0x34538:$s7: logins
                • 0x34576:$s7: logins
                • 0x35e72:$s7: logins
                • 0x35110:$s9: 1.85 (Hash, version 2, native byte-order)
                0.2.LisectAVT_2403002A_134.exe.3d81060.7.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 17 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Suricata Signatures

                  Timestamp:2024-07-25T23:57:32.103539+0200
                  SID:2022930
                  Source Port:443
                  Destination Port:50705
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-25T23:56:51.669552+0200
                  SID:2022930
                  Source Port:443
                  Destination Port:49710
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: LisectAVT_2403002A_134.exeAvira: detected
                  Found malware configuration
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admin@normagroup.com.tr", "Password": "Kingdom12345@"}
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: LisectAVT_2403002A_134.exeJoe Sandbox ML: detected
                  Source: LisectAVT_2403002A_134.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: LisectAVT_2403002A_134.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: mVmj.pdb source: LisectAVT_2403002A_134.exe
                  Source: Binary string: mVmj.pdbSHA256 source: LisectAVT_2403002A_134.exe
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 4x nop then jmp 02910F1Bh0_2_0291075F

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.LisectAVT_2403002A_134.exe.3dbb680.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewIP Address: 104.247.165.99 104.247.165.99
                  Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                  Source: unknownFTP traffic detected: 104.247.165.99:21 -> 192.168.2.5:49707 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:56. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:56. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:56. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:56. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficDNS traffic detected: DNS query: ftp.normagroup.com.tr
                  Source: LisectAVT_2403002A_134.exe, 00000003.00000002.4490186653.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_134.exe, 00000003.00000002.4490186653.0000000002E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.normagroup.com.tr
                  Source: LisectAVT_2403002A_134.exe, 00000003.00000002.4490186653.0000000002E1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: LisectAVT_2403002A_134.exe, 00000000.00000002.2050611192.0000000003C7E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_134.exe, 00000003.00000002.4486327299.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: LisectAVT_2403002A_134.exeString found in binary or memory: https://download.alegsoftware.ga/ws_switches/contatore/ltromatic.ttf
                  Source: LisectAVT_2403002A_134.exeString found in binary or memory: https://fsf.org/
                  Source: LisectAVT_2403002A_134.exeString found in binary or memory: https://www.gnu.org/licenses/
                  Source: LisectAVT_2403002A_134.exeString found in binary or memory: https://www.gnu.org/licenses/why-not-lgpl.html

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, pmGIa7.cs.Net Code: MbUYEAV2
                  Source: 0.2.LisectAVT_2403002A_134.exe.3dbb680.9.raw.unpack, pmGIa7.cs.Net Code: MbUYEAV2
                  Installs a global keyboard hook
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\LisectAVT_2403002A_134.exeJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.LisectAVT_2403002A_134.exe.3dbb680.9.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.LisectAVT_2403002A_134.exe.3dbb680.9.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 3.2.LisectAVT_2403002A_134.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.LisectAVT_2403002A_134.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.LisectAVT_2403002A_134.exe.3dbb680.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.LisectAVT_2403002A_134.exe.3dbb680.9.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 0_2_00F9D3640_2_00F9D364
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 0_2_02912D280_2_02912D28
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 0_2_04FBBF680_2_04FBBF68
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 0_2_04FBEAEE0_2_04FBEAEE
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_013593F83_2_013593F8
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_01359BB03_2_01359BB0
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_01354A583_2_01354A58
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_0135CFD03_2_0135CFD0
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_01353E403_2_01353E40
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_013541883_2_01354188
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_062656B83_2_062656B8
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_06262EF03_2_06262EF0
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_06263F283_2_06263F28
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_0626BCC83_2_0626BCC8
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_06268B683_2_06268B68
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_0626DBF03_2_0626DBF0
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_062600403_2_06260040
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_062636303_2_06263630
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_06264FD83_2_06264FD8
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_06A247383_2_06A24738
                  Source: LisectAVT_2403002A_134.exe, 00000000.00000002.2048277325.0000000000A5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002A_134.exe
                  Source: LisectAVT_2403002A_134.exe, 00000000.00000002.2053351805.0000000007010000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_134.exe
                  Source: LisectAVT_2403002A_134.exe, 00000000.00000002.2050611192.0000000003C7E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename3819dde1-5cc3-425a-99b4-feee310e8d7d.exe4 vs LisectAVT_2403002A_134.exe
                  Source: LisectAVT_2403002A_134.exe, 00000000.00000002.2050611192.0000000003C7E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_134.exe
                  Source: LisectAVT_2403002A_134.exe, 00000000.00000002.2050004526.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs LisectAVT_2403002A_134.exe
                  Source: LisectAVT_2403002A_134.exe, 00000000.00000002.2050004526.0000000002B01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename3819dde1-5cc3-425a-99b4-feee310e8d7d.exe4 vs LisectAVT_2403002A_134.exe
                  Source: LisectAVT_2403002A_134.exe, 00000003.00000002.4486742312.0000000000BB8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs LisectAVT_2403002A_134.exe
                  Source: LisectAVT_2403002A_134.exe, 00000003.00000002.4486327299.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename3819dde1-5cc3-425a-99b4-feee310e8d7d.exe4 vs LisectAVT_2403002A_134.exe
                  Source: LisectAVT_2403002A_134.exeBinary or memory string: OriginalFilenamemVmj.exe4 vs LisectAVT_2403002A_134.exe
                  Source: LisectAVT_2403002A_134.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.LisectAVT_2403002A_134.exe.3dbb680.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.LisectAVT_2403002A_134.exe.3dbb680.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 3.2.LisectAVT_2403002A_134.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.LisectAVT_2403002A_134.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.LisectAVT_2403002A_134.exe.3dbb680.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.LisectAVT_2403002A_134.exe.3dbb680.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: LisectAVT_2403002A_134.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, rgjtyRJ0.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, rgjtyRJ0.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, mNYd.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, mNYd.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, 3zL.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, 3zL.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, 3zL.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, 3zL.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, OdlSfjpuRUCNlQDYU5.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, OdlSfjpuRUCNlQDYU5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, OdlSfjpuRUCNlQDYU5.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, BkKOPxWtPTDOl1lhxy.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.LisectAVT_2403002A_134.exe.2b29440.3.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                  Source: 0.2.LisectAVT_2403002A_134.exe.2ada924.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                  Source: 0.2.LisectAVT_2403002A_134.exe.5600000.11.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_134.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeMutant created: NULL
                  Source: LisectAVT_2403002A_134.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: LisectAVT_2403002A_134.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe "C:\Users\user\Desktop\LisectAVT_2403002A_134.exe"
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe "C:\Users\user\Desktop\LisectAVT_2403002A_134.exe"
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe "C:\Users\user\Desktop\LisectAVT_2403002A_134.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: LisectAVT_2403002A_134.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: LisectAVT_2403002A_134.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: LisectAVT_2403002A_134.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: mVmj.pdb source: LisectAVT_2403002A_134.exe
                  Source: Binary string: mVmj.pdbSHA256 source: LisectAVT_2403002A_134.exe

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: 0.2.LisectAVT_2403002A_134.exe.5260000.10.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.LisectAVT_2403002A_134.exe.2ac5dc4.6.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, OdlSfjpuRUCNlQDYU5.cs.Net Code: z1O1e0kQG5 System.Reflection.Assembly.Load(byte[])
                  Source: LisectAVT_2403002A_134.exeStatic PE information: 0xF4AB3910 [Thu Jan 28 23:26:08 2100 UTC]
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 0_2_00F9F4F8 pushfd ; iretd 0_2_00F9F4F9
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_06269C3C push ds; retf 3_2_06269C3F
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_06A24238 pushfd ; retf 3_2_06A24281
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_06A2208F push es; iretd 3_2_06A220CC
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_06A220CD push es; iretd 3_2_06A220DC
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_06A22023 push es; iretd 3_2_06A22024
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_06A22017 push es; iretd 3_2_06A2201C
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_06A2201F push es; iretd 3_2_06A22020
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_06A2206D push es; iretd 3_2_06A22088
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_06A22049 push es; iretd 3_2_06A22054
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeCode function: 3_2_06A22055 push es; iretd 3_2_06A2206C
                  Source: LisectAVT_2403002A_134.exeStatic PE information: section name: .text entropy: 7.916457293076162
                  Source: 0.2.LisectAVT_2403002A_134.exe.5260000.10.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
                  Source: 0.2.LisectAVT_2403002A_134.exe.5260000.10.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
                  Source: 0.2.LisectAVT_2403002A_134.exe.5260000.10.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
                  Source: 0.2.LisectAVT_2403002A_134.exe.5260000.10.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
                  Source: 0.2.LisectAVT_2403002A_134.exe.5260000.10.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
                  Source: 0.2.LisectAVT_2403002A_134.exe.2ac5dc4.6.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
                  Source: 0.2.LisectAVT_2403002A_134.exe.2ac5dc4.6.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
                  Source: 0.2.LisectAVT_2403002A_134.exe.2ac5dc4.6.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
                  Source: 0.2.LisectAVT_2403002A_134.exe.2ac5dc4.6.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
                  Source: 0.2.LisectAVT_2403002A_134.exe.2ac5dc4.6.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, OdlSfjpuRUCNlQDYU5.csHigh entropy of concatenated method names: 'GZgVNGovtD', 'AM5Vx9Mjm9', 'S1nVcNPRVK', 'jXTV76p3Y6', 'd4xVApI8Yk', 'juJVub1Huh', 'teMVUCNgmo', 'QAqVM23EOR', 'ujQVKPQlcD', 'iQrVZ6XIpd'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, hJaVIUGkr0yoYGlVdP.csHigh entropy of concatenated method names: 'RCXeF0MYW', 'gjVOU50n3', 'u3a9SFKKQ', 'qIXLyg9Mk', 'WGIrOwdHY', 'laEX5NSjg', 'JyGTvbJmBXP112lT3h', 'TOcXPIAB28eHe8matj', 'gSInQt1Cq', 'zj1IbdSgU'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, DHiZVFPce8G67eHKnh.csHigh entropy of concatenated method names: 'wNSDtJi6Xv', 'YxcDlQRurL', 'mRvnaZjcNx', 'agVn53AFg2', 'utoDH9uCVt', 'UkcDo9tqPf', 'gsmD2niEJl', 'NrKDBewYvV', 'RbwD4fyKD5', 'iRRDbIEkIH'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, KHtFJk2DfQEoIV6f0f.csHigh entropy of concatenated method names: 'yAC7Obmq37', 'C9p79Y316q', 'Jvp7G4orFA', 'kdA7rrXa2F', 'XUN70Hw2Gm', 'HT97Qaj923', 'wTJ7DvkEeO', 'pan7nHhFnb', 'Two7fAs6TD', 'lB67IeSloE'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, BkKOPxWtPTDOl1lhxy.csHigh entropy of concatenated method names: 'h7DcBNXZAr', 'Q8Ic4i7xlN', 'lPDcbAinS3', 'V57cJkUgUX', 'EwXc69htkK', 'itQch1CqVd', 'K5ecFBdfJP', 'bxyct5vWC8', 'gBJc3nfBiT', 'i0CclvoVSm'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, GLuYQQYlAqor1TAQew.csHigh entropy of concatenated method names: 'fMv5UMaJuy', 'HcV5MeeBWg', 'nXI5ZaMp1Z', 'I925vt49IZ', 'cjV50NyuI6', 'ECM5QF9dxB', 'B1PPWQ8aR8CrdHMG9V', 'o4uqPgBvhnS1cWY2c3', 'sw555xs2Ku', 'mNf5VXO4M6'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, c7BtRQRUhKYwfA1Vwm6.csHigh entropy of concatenated method names: 'YdifT0ybbs', 'I5AfjbSjQt', 'mgvfe6VeRT', 'HhsfOfM0Sw', 'l7TfkCigZm', 'oEqf9fS1Js', 'LcDfLZ7ONK', 'klHfGf2FRe', 'NRlfrVPsfI', 'XqCfXoxwUP'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, mlnM4sOQIi70wBrNLb.csHigh entropy of concatenated method names: 'vAiSGPbw0T', 'LE4SryTooE', 'JJ8SYq8RcO', 'MNJSmQcPnG', 'qGMSgCRxJx', 'NADSWZSNid', 'Dl7SiT0Dm3', 'q4ySRgAENI', 'HTXSPaJRqR', 'YIxSHnuqLT'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, kk4Jd0fsfydXFWFdRc.csHigh entropy of concatenated method names: 'oTDnxy7a3N', 'o1EncfVDVw', 'k8En7ViVsH', 'NajnAJ6WPu', 'iKjnuboTxV', 'kDInUKK1jH', 'hltnM17SSP', 'JWCnKeRKu0', 'Dm8nZCUBTx', 'V4TnvI00cV'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, CBBlg6xa5rjXqJCcfN.csHigh entropy of concatenated method names: 'UeKuN2blB8', 'AKZucpA7Jm', 'XFiuApha5i', 'VqfuURpWXP', 'LjXuM9VcKd', 'NgYA64xyut', 'GQfAhqmCRj', 'nyGAFVtLiE', 'n3cAtoSseR', 'UrJA3w4NLT'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, dE9S1ktrxwWL2invdR.csHigh entropy of concatenated method names: 'ToString', 'WSHQHiQ2xs', 'L6dQmrK3xa', 'P5EQCB1Lhy', 'C0lQge6cQr', 'SiVQW50Vp7', 'P9LQqLRCyn', 'rvZQiiYSkT', 'ksfQRjPCc9', 'JdBQ8RwaNP'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, Oq7iU74OEBZ4I6vJvi.csHigh entropy of concatenated method names: 'JMyf5csVRE', 'BDnfV2vEUJ', 'nh0f1JYR9B', 'TGifxy5wCf', 'SAxfcVuFAe', 'WT9fAyTWGr', 'wwNfuDMcoL', 'RZnnFwYRQR', 'EexntVxOw9', 'hhYn3Mctio'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, KN3gSMS3NX11JJnl2T.csHigh entropy of concatenated method names: 'Dispose', 'vro53GYX6O', 'euppmMENQH', 'aLjyypcZfu', 'AEi5lN9rct', 'pO45zjk2X4', 'ProcessDialogKey', 'TUNpaB2ni2', 'LWTp5MophK', 'xyKppmKvnE'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, L6HRkmR90kOLBOfAGVr.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qK1IBlHmKu', 'n9gI4Zkvts', 'ragIboXnC3', 'qvsIJfOome', 'TX7I6aXTCG', 'DnuIhPTCv4', 'nAOIFOYBlM'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, Oi5P6nhrwYbHF07Al8.csHigh entropy of concatenated method names: 'pYyubMtMq1', 'kZ4uJIELU4', 'kj5u6gFf5p', 'ToString', 'WFPuhRpCbj', 'lZ9uFKsSbH', 'mLGkwxYdaKw92CQrB1v', 'ILxAGnYwM3OehumEZ7V'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, DUlB6y1pOYQEFoGhR8.csHigh entropy of concatenated method names: 'IcoAk1XUBG', 'O4PALu6eHP', 'D2F7CMfPpD', 'n2y7g1dTEA', 'xAm7WWg5MF', 'n297qcHCq4', 'aCR7i3xMhW', 'RhS7RWkOXZ', 'EmI78WlVQo', 'oc37P5sdmr'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, qrDYACbEieiDK3cZUr.csHigh entropy of concatenated method names: 'L8fUTdTaSF', 'RZfUjVrBjJ', 'v5SUepjZLJ', 'mGMUOU6Zkd', 'OadUkKgh5h', 'yhyU9OGLWQ', 'b5oUL6LN3Y', 'V3uUGHdpVg', 'V93Ur4RxeH', 'Y3jUXxCqpv'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, weTgMsNRAZGaNR7pex.csHigh entropy of concatenated method names: 'f8inYA54HW', 'kgInmEnLVi', 'ohlnCVIQSR', 'ukKngDTs5H', 'vxpnB6L0gg', 'wZSnWyU7s2', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.LisectAVT_2403002A_134.exe.3e84b70.8.raw.unpack, ip8Do4X07L2EjDlR2S.csHigh entropy of concatenated method names: 'cFGUxroKB7', 'O2kU7Z3y0j', 'aZtUuMRFPp', 'CUpulw5oni', 'JvNuzJGIyP', 'SG8Uao0KIQ', 'qyXU588v16', 'GNwUpe8uvY', 'JLSUV4v3lB', 'AniU1HZ2Xn'
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_134.exe PID: 4428, type: MEMORYSTR
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeMemory allocated: F90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeMemory allocated: 28C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeMemory allocated: 7920000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeMemory allocated: 8920000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeMemory allocated: 8AD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeMemory allocated: 9AD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeMemory allocated: 1350000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeMemory allocated: 2DD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1200000Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1199891Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1199766Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1199641Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1199531Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1199422Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1199313Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1199188Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1199063Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1198953Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1198844Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1198719Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1198610Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1198485Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1198360Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1198235Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1198110Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1197985Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1197860Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1197735Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1197610Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1197485Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1197360Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1197235Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1197110Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1196985Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1196860Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1196735Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1196610Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1196485Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1196360Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1196235Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1196110Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1195985Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1195860Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1195735Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1195564Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1195438Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1195313Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1195188Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1195078Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1194969Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1194844Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1194735Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1194610Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1194485Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1194360Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1194235Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1194110Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1193985Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeWindow / User API: threadDelayed 1611Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeWindow / User API: threadDelayed 8211Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 2568Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep count: 36 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1200000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 3288Thread sleep count: 1611 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1199891s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 3288Thread sleep count: 8211 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep count: 33 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1199766s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1199641s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1199531s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1199422s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1199313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1199188s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1199063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1198953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1198844s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1198719s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1198610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1198485s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1198360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1198235s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1198110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1197985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1197860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1197735s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1197610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1197485s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1197360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1197235s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1197110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1196985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1196860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1196735s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1196610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1196485s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1196360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1196235s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1196110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1195985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1195860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1195735s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1195564s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1195438s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1195313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1195188s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1195078s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1194969s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1194844s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1194735s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1194610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1194485s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1194360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1194235s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1194110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe TID: 1492Thread sleep time: -1193985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1200000Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1199891Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1199766Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1199641Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1199531Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1199422Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1199313Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1199188Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1199063Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1198953Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1198844Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1198719Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1198610Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1198485Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1198360Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1198235Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1198110Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1197985Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1197860Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1197735Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1197610Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1197485Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1197360Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1197235Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1197110Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1196985Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1196860Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1196735Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1196610Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1196485Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1196360Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1196235Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1196110Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1195985Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1195860Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1195735Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1195564Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1195438Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1195313Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1195188Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1195078Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1194969Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1194844Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1194735Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1194610Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1194485Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1194360Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1194235Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1194110Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeThread delayed: delay time: 1193985Jump to behavior
                  Source: LisectAVT_2403002A_134.exe, 00000003.00000002.4488278355.00000000011E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllture
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe "C:\Users\user\Desktop\LisectAVT_2403002A_134.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_134.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.LisectAVT_2403002A_134.exe.3dbb680.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.LisectAVT_2403002A_134.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LisectAVT_2403002A_134.exe.3dbb680.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.4490186653.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4486327299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4490186653.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2050611192.0000000003C7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_134.exe PID: 4428, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_134.exe PID: 6160, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\LisectAVT_2403002A_134.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 0.2.LisectAVT_2403002A_134.exe.3dbb680.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.LisectAVT_2403002A_134.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LisectAVT_2403002A_134.exe.3dbb680.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.4486327299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4490186653.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2050611192.0000000003C7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_134.exe PID: 4428, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_134.exe PID: 6160, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.LisectAVT_2403002A_134.exe.3dbb680.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.LisectAVT_2403002A_134.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LisectAVT_2403002A_134.exe.3dbb680.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LisectAVT_2403002A_134.exe.3d81060.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.4490186653.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4486327299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4490186653.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2050611192.0000000003C7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_134.exe PID: 4428, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_134.exe PID: 6160, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Encrypted Channel                  		1
                  Exfiltration Over Alternative Protocol                  		Abuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		1
                  Non-Application Layer Protocol                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		111
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                  Software Packing                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model21
                  Input Capture                  		Protocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Timestomp                  		LSA Secrets141
                  Virtualization/Sandbox Evasion                  		SSH1
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Masquerading                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                  Virtualization/Sandbox Evasion                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                  Process Injection                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  LisectAVT_2403002A_134.exe100%AviraTR/Spy.AgentTesla.wmsgb
                  LisectAVT_2403002A_134.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://account.dyn.com/0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://ftp.normagroup.com.tr0%Avira URL Cloudsafe
                  https://fsf.org/0%Avira URL Cloudsafe
                  https://www.gnu.org/licenses/0%Avira URL Cloudsafe
                  https://download.alegsoftware.ga/ws_switches/contatore/ltromatic.ttf0%Avira URL Cloudsafe
                  https://www.gnu.org/licenses/why-not-lgpl.html0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ftp.normagroup.com.tr
                  		104.247.165.99
                  		truetrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://ftp.normagroup.com.trLisectAVT_2403002A_134.exe, 00000003.00000002.4490186653.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_134.exe, 00000003.00000002.4490186653.0000000002E2C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://account.dyn.com/LisectAVT_2403002A_134.exe, 00000000.00000002.2050611192.0000000003C7E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_134.exe, 00000003.00000002.4486327299.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://fsf.org/LisectAVT_2403002A_134.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.gnu.org/licenses/why-not-lgpl.htmlLisectAVT_2403002A_134.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameLisectAVT_2403002A_134.exe, 00000003.00000002.4490186653.0000000002E1E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://download.alegsoftware.ga/ws_switches/contatore/ltromatic.ttfLisectAVT_2403002A_134.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.gnu.org/licenses/LisectAVT_2403002A_134.exefalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    104.247.165.99
                    		ftp.normagroup.com.trUnited States
                    		8100ASN-QUADRANET-GLOBALUStrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1482508
                    Start date and time:2024-07-25 23:55:41 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 30s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:6
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:LisectAVT_2403002A_134.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 78
                    • Number of non-executed functions: 3
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • VT rate limit hit for: LisectAVT_2403002A_134.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    17:56:31API Interceptor11557891x Sleep call for process: LisectAVT_2403002A_134.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    104.247.165.99hesaphareketi_____.exeGet hashmaliciousAgentTeslaBrowse
                      hesaphareketi__.exeGet hashmaliciousAgentTeslaBrowse
                        hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                          hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                            hesaphareketi-01-pdf.exeGet hashmaliciousAgentTeslaBrowse
                              19-03-2024_Takas_Sonuclari.exeGet hashmaliciousAgentTeslaBrowse
                                CN-Invoice-0945413571-XXXXX6856-2312053735707600000.exeGet hashmaliciousAgentTeslaBrowse
                                  hesaphareketi-14-06-2024.exeGet hashmaliciousAgentTeslaBrowse
                                    hesaphareketi01.exeGet hashmaliciousAgentTeslaBrowse
                                      hesaphareketi01--.exeGet hashmaliciousAgentTeslaBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ftp.normagroup.com.trhesaphareketi_____.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        hesaphareketi__.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        hesaphareketi-01-pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        19-03-2024_Takas_Sonuclari.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        CN-Invoice-0945413571-XXXXX6856-2312053735707600000.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        hesaphareketi-14-06-2024.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        hesaphareketi01.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        hesaphareketi01--.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ASN-QUADRANET-GLOBALUSLisectAVT_2403002B_335.exeGet hashmaliciousMetasploitBrowse
                                        • 147.78.240.110
                                        LisectAVT_2403002B_448.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                        • 107.167.58.6
                                        LisectAVT_2403002C_6.exeGet hashmaliciousRemcosBrowse
                                        • 107.150.18.202
                                        Lisect_AVT_24003_G1B_115.exeGet hashmaliciousPikaBotBrowse
                                        • 23.226.138.143
                                        Lisect_AVT_24003_G1B_115.exeGet hashmaliciousPikaBotBrowse
                                        • 23.226.138.143
                                        Lisect_AVT_24003_G1B_54.exeGet hashmaliciousPikaBotBrowse
                                        • 23.226.138.143
                                        Lisect_AVT_24003_G1B_54.exeGet hashmaliciousPikaBotBrowse
                                        • 23.226.138.143
                                        Lisect_AVT_24003_G1B_96.exeGet hashmaliciousPikaBotBrowse
                                        • 23.226.138.143
                                        Lisect_AVT_24003_G1B_90.exeGet hashmaliciousPikaBotBrowse
                                        • 23.226.138.143
                                        Lisect_AVT_24003_G1B_96.exeGet hashmaliciousPikaBotBrowse
                                        • 23.226.138.143

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_134.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\LisectAVT_2403002A_134.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.34331486778365
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.907811331637465
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Windows Screen Saver (13104/52) 0.07%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        File name:LisectAVT_2403002A_134.exe
                                        File size:698'889 bytes
                                        MD5:d1294dbd0e36820875022093a0d469d8
                                        SHA1:f258083bf53ea6c32a6a3abf1244fd6470b6b4c1
                                        SHA256:a18411c60fb9f8f02d82b6d74662d7bef6798ba8119c9072b6c25ab29887f906
                                        SHA512:522cb911a1954a39449090d5bc80a132b1833bcf8b2599fb670aed1939a4c462ccb40d49f0b7174c5cb47032cea3b7238eeb8160cdb85f4a9a96176ae2365c64
                                        SSDEEP:12288:TN3gC74CMwbtve4PamkHhrIF52iyEO4SKvAGHYWfs11qBGviKmmZgDgNjIN:TN3FFCDhkFAuOBK54WUrWeiKRgDgpIN
                                        TLSH:98E41256FB9403B6C1A903B115BB1585B37AA42B6631C7582DD040ED67B2F208B3BFDB
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9................0.................. ........@.. ....................................@................................

                                        File Icon

                                        Icon Hash:00928e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x4abc9e
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0xF4AB3910 [Thu Jan 28 23:26:08 2100 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        xor al, 35h
                                        xor eax, 43465138h
                                        push eax
                                        xor eax, 38453452h
                                        xor dl, byte ptr [ecx+eax*2+5Ah]
                                        push esi
                                        dec eax
                                        dec eax
                                        inc ebx
                                        inc esp
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xabc490x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x630.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xaa0a00x70.text
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xa9cbc0xa9e002f18223ac8a82ab7e015256f553b7d21False0.9188238709529065data7.916457293076162IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0xac0000x6300x800f9bd77d50f3f4ab4bb81c41737a4e4abFalse0.3388671875data3.486888036550185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xae0000xc0x20089c953fd7930a8b4f652950617b59f3cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_VERSION0xac0900x3a0data0.4170258620689655
                                        RT_MANIFEST0xac4400x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                        2024-07-25T23:57:32.103539+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4435070520.12.23.50192.168.2.5
                                        2024-07-25T23:56:51.669552+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971020.12.23.50192.168.2.5

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 25, 2024 23:56:35.093894005 CEST4970721192.168.2.5104.247.165.99
                                        Jul 25, 2024 23:56:35.099463940 CEST2149707104.247.165.99192.168.2.5
                                        Jul 25, 2024 23:56:35.099608898 CEST4970721192.168.2.5104.247.165.99
                                        Jul 25, 2024 23:56:35.746723890 CEST2149707104.247.165.99192.168.2.5
                                        Jul 25, 2024 23:56:35.749955893 CEST4970721192.168.2.5104.247.165.99
                                        Jul 25, 2024 23:56:35.758173943 CEST2149707104.247.165.99192.168.2.5
                                        Jul 25, 2024 23:56:35.975574017 CEST2149707104.247.165.99192.168.2.5
                                        Jul 25, 2024 23:56:35.975747108 CEST4970721192.168.2.5104.247.165.99
                                        Jul 25, 2024 23:56:35.980951071 CEST2149707104.247.165.99192.168.2.5
                                        Jul 25, 2024 23:56:40.616291046 CEST2149707104.247.165.99192.168.2.5
                                        Jul 25, 2024 23:56:40.623230934 CEST4970721192.168.2.5104.247.165.99
                                        Jul 25, 2024 23:56:40.628833055 CEST2149707104.247.165.99192.168.2.5
                                        Jul 25, 2024 23:56:40.629026890 CEST4970721192.168.2.5104.247.165.99

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 25, 2024 23:56:34.733170986 CEST6116953192.168.2.51.1.1.1
                                        Jul 25, 2024 23:56:35.087996006 CEST53611691.1.1.1192.168.2.5
                                        Jul 25, 2024 23:56:54.602580070 CEST53575221.1.1.1192.168.2.5

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Jul 25, 2024 23:56:34.733170986 CEST192.168.2.51.1.1.10xd641Standard query (0)ftp.normagroup.com.trA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Jul 25, 2024 23:56:35.087996006 CEST1.1.1.1192.168.2.50xd641No error (0)ftp.normagroup.com.tr104.247.165.99A (IP address)IN (0x0001)false

                                        FTP Packets

                                        TimestampSource PortDest PortSource IPDest IPCommands
                                        Jul 25, 2024 23:56:35.746723890 CEST2149707104.247.165.99192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:56. Server port: 21.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:56. Server port: 21.220-This is a private system - No anonymous login
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:56. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:56. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                        Jul 25, 2024 23:56:35.749955893 CEST4970721192.168.2.5104.247.165.99USER admin@normagroup.com.tr
                                        Jul 25, 2024 23:56:35.975574017 CEST2149707104.247.165.99192.168.2.5331 User admin@normagroup.com.tr OK. Password required
                                        Jul 25, 2024 23:56:35.975747108 CEST4970721192.168.2.5104.247.165.99PASS Kingdom12345@
                                        Jul 25, 2024 23:56:40.616291046 CEST2149707104.247.165.99192.168.2.5530 Login authentication failed

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:17:56:31
                                        Start date:25/07/2024
                                        Path:C:\Users\user\Desktop\LisectAVT_2403002A_134.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_134.exe"
                                        Imagebase:0x540000
                                        File size:698'889 bytes
                                        MD5 hash:D1294DBD0E36820875022093A0D469D8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2050611192.0000000003C7E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2050611192.0000000003C7E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:17:56:33
                                        Start date:25/07/2024
                                        Path:C:\Users\user\Desktop\LisectAVT_2403002A_134.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_134.exe"
                                        Imagebase:0x980000
                                        File size:698'889 bytes
                                        MD5 hash:D1294DBD0E36820875022093A0D469D8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4490186653.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4486327299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4486327299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4490186653.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4490186653.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:5.6%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:103
                                          Total number of Limit Nodes:12
                                          execution_graph 30476 29111d0 30477 291135b 30476->30477 30478 29111f6 30476->30478 30478->30477 30481 2911448 30478->30481 30484 2911450 PostMessageW 30478->30484 30482 2911450 PostMessageW 30481->30482 30483 29114bc 30482->30483 30483->30478 30485 29114bc 30484->30485 30485->30478 30486 f9d438 30487 f9d47e GetCurrentProcess 30486->30487 30489 f9d4c9 30487->30489 30490 f9d4d0 GetCurrentThread 30487->30490 30489->30490 30491 f9d50d GetCurrentProcess 30490->30491 30492 f9d506 30490->30492 30493 f9d543 30491->30493 30492->30491 30494 f9d56b GetCurrentThreadId 30493->30494 30495 f9d59c 30494->30495 30496 f94668 30497 f9467a 30496->30497 30498 f94686 30497->30498 30502 f94778 30497->30502 30507 f94204 30498->30507 30500 f946a5 30503 f9479d 30502->30503 30511 f94888 30503->30511 30515 f94878 30503->30515 30508 f9420f 30507->30508 30523 f95c6c 30508->30523 30510 f97048 30510->30500 30512 f948af 30511->30512 30514 f9498c 30512->30514 30519 f944e4 30512->30519 30517 f948af 30515->30517 30516 f9498c 30516->30516 30517->30516 30518 f944e4 CreateActCtxA 30517->30518 30518->30516 30520 f95918 CreateActCtxA 30519->30520 30522 f959db 30520->30522 30524 f95c77 30523->30524 30527 f95c8c 30524->30527 30526 f970ed 30526->30510 30528 f95c97 30527->30528 30531 f95cbc 30528->30531 30530 f971c2 30530->30526 30532 f95cc7 30531->30532 30535 f95cec 30532->30535 30534 f972c5 30534->30530 30537 f95cf7 30535->30537 30536 f98609 30536->30534 30538 f985cb 30537->30538 30541 f9ac78 30537->30541 30538->30536 30545 f9cd61 30538->30545 30550 f9acb0 30541->30550 30554 f9ac9f 30541->30554 30542 f9ac8e 30542->30538 30546 f9cd91 30545->30546 30547 f9cdb5 30546->30547 30587 f9cf11 30546->30587 30591 f9cf20 30546->30591 30547->30536 30559 f9ad99 30550->30559 30567 f9ada8 30550->30567 30551 f9acbf 30551->30542 30555 f9acb0 30554->30555 30557 f9ad99 2 API calls 30555->30557 30558 f9ada8 2 API calls 30555->30558 30556 f9acbf 30556->30542 30557->30556 30558->30556 30560 f9adb9 30559->30560 30561 f9addc 30559->30561 30560->30561 30575 f9b040 30560->30575 30579 f9b030 30560->30579 30561->30551 30562 f9add4 30562->30561 30563 f9afe0 GetModuleHandleW 30562->30563 30564 f9b00d 30563->30564 30564->30551 30568 f9adb9 30567->30568 30569 f9addc 30567->30569 30568->30569 30573 f9b040 LoadLibraryExW 30568->30573 30574 f9b030 LoadLibraryExW 30568->30574 30569->30551 30570 f9add4 30570->30569 30571 f9afe0 GetModuleHandleW 30570->30571 30572 f9b00d 30571->30572 30572->30551 30573->30570 30574->30570 30576 f9b054 30575->30576 30578 f9b079 30576->30578 30583 f9a168 30576->30583 30578->30562 30580 f9b054 30579->30580 30581 f9a168 LoadLibraryExW 30580->30581 30582 f9b079 30580->30582 30581->30582 30582->30562 30585 f9b220 LoadLibraryExW 30583->30585 30586 f9b299 30585->30586 30586->30578 30588 f9cf2d 30587->30588 30590 f9cf67 30588->30590 30595 f9b780 30588->30595 30590->30547 30592 f9cf2d 30591->30592 30593 f9b780 3 API calls 30592->30593 30594 f9cf67 30592->30594 30593->30594 30594->30547 30596 f9b78b 30595->30596 30598 f9dc78 30596->30598 30599 f9d084 30596->30599 30598->30598 30600 f9d08f 30599->30600 30601 f95cec 3 API calls 30600->30601 30602 f9dce7 30601->30602 30602->30598 30603 2913488 FindCloseChangeNotification 30604 29134ef 30603->30604 30605 f9d680 DuplicateHandle 30606 f9d716 30605->30606

                                          Executed Functions

                                          Function 04FBBF68 Relevance: 7.0, Strings: 5, Instructions: 720COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2052078075.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4fb0000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (o]q$(o]q$,aq$,aq$Haq
                                          • API String ID: 0-2157538030
                                          • Opcode ID: a06f72db7c4b6cb058e9e2a4d965c33888ef6bf4da40062b62d6ff4dd63233fa
                                          • Instruction ID: 643caadd2fa883ef270a0590bf9ee7a4f30ae1339298f39cd70d9eaa5048946c
                                          • Opcode Fuzzy Hash: a06f72db7c4b6cb058e9e2a4d965c33888ef6bf4da40062b62d6ff4dd63233fa
                                          • Instruction Fuzzy Hash: 51529035B00155DFDB18DF6AC488AAE7BB2BF8A710B158169E855DB364DB30EC42CBD0
                                          Function 04FBEAEE Relevance: 1.8, Strings: 1, Instructions: 562COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 608 4fbeaee-4fbeaf2 609 4fbeaf3-4fbeb08 608->609 610 4fbf4b5-4fbf4c3 608->610 609->610 611 4fbeb09-4fbeb14 609->611 613 4fbeb1a-4fbeb26 611->613 614 4fbeb32-4fbeb41 613->614 616 4fbeba0-4fbeba4 614->616 617 4fbebaa-4fbebb3 616->617 618 4fbec4c-4fbecb6 616->618 619 4fbebb9-4fbebcf 617->619 620 4fbeaae-4fbeaba 617->620 618->610 656 4fbecbc-4fbf203 618->656 627 4fbec21-4fbec33 619->627 628 4fbebd1-4fbebd4 619->628 620->610 621 4fbeac0-4fbeacc 620->621 623 4fbeace-4fbeae2 621->623 624 4fbeb43-4fbeb49 621->624 623->624 634 4fbeae4-4fbeaed 623->634 624->610 629 4fbeb4f-4fbeb67 624->629 638 4fbec39-4fbec3c 627->638 639 4fbf3f4-4fbf4aa 627->639 628->610 631 4fbebda-4fbec17 628->631 629->610 637 4fbeb6d-4fbeb95 629->637 631->618 652 4fbec19-4fbec1f 631->652 634->608 637->616 641 4fbec3f-4fbec49 638->641 639->610 652->627 652->628 734 4fbf21a-4fbf2ad 656->734 735 4fbf205-4fbf20f 656->735 736 4fbf2b8-4fbf34b 734->736 735->736 737 4fbf215 735->737 739 4fbf356-4fbf3e9 736->739 737->739 739->639
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2052078075.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4fb0000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: D
                                          • API String ID: 0-2746444292
                                          • Opcode ID: e154689435109d44656df15c2f0257247caafb1cd0c06d61c08f08e3b170ea6f
                                          • Instruction ID: cdfbbf456afe06379c80e13dc509089f1d3dece3789193f3a14eedca98f2f878
                                          • Opcode Fuzzy Hash: e154689435109d44656df15c2f0257247caafb1cd0c06d61c08f08e3b170ea6f
                                          • Instruction Fuzzy Hash: 2B52CB74A002188FDB54DF68D998AADBBB6FF89300F1045D9D509A73A5DF34AE81CF90
                                          Function 00F9D428 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 529 f9d428-f9d4c7 GetCurrentProcess 533 f9d4c9-f9d4cf 529->533 534 f9d4d0-f9d504 GetCurrentThread 529->534 533->534 535 f9d50d-f9d541 GetCurrentProcess 534->535 536 f9d506-f9d50c 534->536 538 f9d54a-f9d565 call f9d609 535->538 539 f9d543-f9d549 535->539 536->535 541 f9d56b-f9d59a GetCurrentThreadId 538->541 539->538 543 f9d59c-f9d5a2 541->543 544 f9d5a3-f9d605 541->544 543->544
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00F9D4B6
                                          • GetCurrentThread.KERNEL32 ref: 00F9D4F3
                                          • GetCurrentProcess.KERNEL32 ref: 00F9D530
                                          • GetCurrentThreadId.KERNEL32 ref: 00F9D589
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049203243.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f90000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 454a1c7d5fd36f349b053874d3ffa97b5143adbcd516cc4a87464bd2cf1c4cfd
                                          • Instruction ID: abd27c31a93ebd24a815bfa05f01934f1331e158d8ab403325134cce35c6d840
                                          • Opcode Fuzzy Hash: 454a1c7d5fd36f349b053874d3ffa97b5143adbcd516cc4a87464bd2cf1c4cfd
                                          • Instruction Fuzzy Hash: A75168B0D003498FEB14DFA9D548BAEBBF1FF88314F248459E009A73A1D778A945CB65
                                          Function 00F9D438 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 551 f9d438-f9d4c7 GetCurrentProcess 555 f9d4c9-f9d4cf 551->555 556 f9d4d0-f9d504 GetCurrentThread 551->556 555->556 557 f9d50d-f9d541 GetCurrentProcess 556->557 558 f9d506-f9d50c 556->558 560 f9d54a-f9d565 call f9d609 557->560 561 f9d543-f9d549 557->561 558->557 563 f9d56b-f9d59a GetCurrentThreadId 560->563 561->560 565 f9d59c-f9d5a2 563->565 566 f9d5a3-f9d605 563->566 565->566
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00F9D4B6
                                          • GetCurrentThread.KERNEL32 ref: 00F9D4F3
                                          • GetCurrentProcess.KERNEL32 ref: 00F9D530
                                          • GetCurrentThreadId.KERNEL32 ref: 00F9D589
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049203243.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f90000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 1615d35fbab16eefabfc25e969be6e16f145e2f0770291f469cfcafb1d9f70c8
                                          • Instruction ID: 5215dbb53e54dbf3f7e72ad71ff74f7b37f5f50f91e635966dcbf651e46f784d
                                          • Opcode Fuzzy Hash: 1615d35fbab16eefabfc25e969be6e16f145e2f0770291f469cfcafb1d9f70c8
                                          • Instruction Fuzzy Hash: 015146B09003098FEB14DFAAD548BAEBBF1FF88314F248459E009A7361D778A944CB65
                                          Function 00F9ADA8 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 763 f9ada8-f9adb7 764 f9adb9-f9adc6 call f9a100 763->764 765 f9ade3-f9ade7 763->765 771 f9adc8 764->771 772 f9addc 764->772 767 f9ade9-f9adf3 765->767 768 f9adfb-f9ae3c 765->768 767->768 774 f9ae49-f9ae57 768->774 775 f9ae3e-f9ae46 768->775 818 f9adce call f9b040 771->818 819 f9adce call f9b030 771->819 772->765 776 f9ae59-f9ae5e 774->776 777 f9ae7b-f9ae7d 774->777 775->774 779 f9ae69 776->779 780 f9ae60-f9ae67 call f9a10c 776->780 782 f9ae80-f9ae87 777->782 778 f9add4-f9add6 778->772 781 f9af18-f9afd8 778->781 784 f9ae6b-f9ae79 779->784 780->784 813 f9afda-f9afdd 781->813 814 f9afe0-f9b00b GetModuleHandleW 781->814 785 f9ae89-f9ae91 782->785 786 f9ae94-f9ae9b 782->786 784->782 785->786 789 f9aea8-f9aeb1 call f9a11c 786->789 790 f9ae9d-f9aea5 786->790 794 f9aebe-f9aec3 789->794 795 f9aeb3-f9aebb 789->795 790->789 796 f9aee1-f9aeee 794->796 797 f9aec5-f9aecc 794->797 795->794 804 f9af11-f9af17 796->804 805 f9aef0-f9af0e 796->805 797->796 799 f9aece-f9aede call f9a12c call f9a13c 797->799 799->796 805->804 813->814 815 f9b00d-f9b013 814->815 816 f9b014-f9b028 814->816 815->816 818->778 819->778
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00F9AFFE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049203243.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f90000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 08d7dd87a5de7f428b317509eee2dd71b7b4f3f80e0def30e33a1686c346456e
                                          • Instruction ID: 25fc82981031c10ac1604dbd09e5bbe3b67a9411c91aab822a313ab8c9a0226c
                                          • Opcode Fuzzy Hash: 08d7dd87a5de7f428b317509eee2dd71b7b4f3f80e0def30e33a1686c346456e
                                          • Instruction Fuzzy Hash: FF714470A00B058FEB24DF2AD44475ABBF1FF88314F108A2ED48AD7A50DB75E945CB91
                                          Function 00F9590D Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 820 f9590d-f959d9 CreateActCtxA 822 f959db-f959e1 820->822 823 f959e2-f95a3c 820->823 822->823 830 f95a4b-f95a4f 823->830 831 f95a3e-f95a41 823->831 832 f95a51-f95a5d 830->832 833 f95a60 830->833 831->830 832->833 835 f95a61 833->835 835->835
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00F959C9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049203243.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f90000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 6ed85639b7cb867de513a402a1825b90e14ae8b9842a21fa4ea96ea53a25daf2
                                          • Instruction ID: 6f8d6778296650b4d9aa706c7ac8fd280c0ddfb92d31518b06c636185cca4e89
                                          • Opcode Fuzzy Hash: 6ed85639b7cb867de513a402a1825b90e14ae8b9842a21fa4ea96ea53a25daf2
                                          • Instruction Fuzzy Hash: E54101B0C00619CFEF25DFA9C884B9DBBF5BF88704F24806AD409AB251DB756946CF91
                                          Function 00F944E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 836 f944e4-f959d9 CreateActCtxA 839 f959db-f959e1 836->839 840 f959e2-f95a3c 836->840 839->840 847 f95a4b-f95a4f 840->847 848 f95a3e-f95a41 840->848 849 f95a51-f95a5d 847->849 850 f95a60 847->850 848->847 849->850 852 f95a61 850->852 852->852
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00F959C9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049203243.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f90000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 07e23610f88968057b39db34d4409c1dba9d46fc7bd01b500ab41596ecdf6df4
                                          • Instruction ID: c5ae640d5687662c436ccbb58cbcc4d9379f4a35ec786a3a4ce1a4fd7217f86b
                                          • Opcode Fuzzy Hash: 07e23610f88968057b39db34d4409c1dba9d46fc7bd01b500ab41596ecdf6df4
                                          • Instruction Fuzzy Hash: 9641EFB0C00719CAEF25DFA9C884B9EBBF5BF48704F20806AD409AB255DB756946CF91
                                          Function 00F9D678 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 853 f9d678-f9d714 DuplicateHandle 854 f9d71d-f9d73a 853->854 855 f9d716-f9d71c 853->855 855->854
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F9D707
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049203243.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f90000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: fe01c2f1228f49ee5a0e5426b18a78d3e22f797e53294d36a9921a45f44a0b1a
                                          • Instruction ID: 5a30aea818cd8015ab304458c19b70f51deacfb7c04158984852fedd14efe3fd
                                          • Opcode Fuzzy Hash: fe01c2f1228f49ee5a0e5426b18a78d3e22f797e53294d36a9921a45f44a0b1a
                                          • Instruction Fuzzy Hash: E121E3B5D002089FDB10CF9AD584ADEBBF5EB48320F14801AE958A7251D378A945CFA5
                                          Function 00F9D680 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 858 f9d680-f9d714 DuplicateHandle 859 f9d71d-f9d73a 858->859 860 f9d716-f9d71c 858->860 860->859
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F9D707
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049203243.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f90000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: c32aeb825bfee1c7b827fec485b6731a8cfd1fcfe460439da1027951c0d7022b
                                          • Instruction ID: 65c036b46cc87fbc2ec7070db70e7244954caee5803b4e8df999739ccc98662a
                                          • Opcode Fuzzy Hash: c32aeb825bfee1c7b827fec485b6731a8cfd1fcfe460439da1027951c0d7022b
                                          • Instruction Fuzzy Hash: B621C4B5D002489FDB10CF9AD584ADEFBF9FB48310F14841AE918A7350D379A944CFA5
                                          Function 00F9A168 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 863 f9a168-f9b260 865 f9b268-f9b297 LoadLibraryExW 863->865 866 f9b262-f9b265 863->866 867 f9b299-f9b29f 865->867 868 f9b2a0-f9b2bd 865->868 866->865 867->868
                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F9B079,00000800,00000000,00000000), ref: 00F9B28A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049203243.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f90000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: a9fa98c9da0ce6068dc11016fe85036647a0da493f585501dace77f998f7e446
                                          • Instruction ID: 7672b1070949494344faaf1c32c7c59ec2ccfce9d8e1de9fc78b93d64c1c4841
                                          • Opcode Fuzzy Hash: a9fa98c9da0ce6068dc11016fe85036647a0da493f585501dace77f998f7e446
                                          • Instruction Fuzzy Hash: 961114B6D003489FDB10DF9AD544A9EFBF4EB48710F10842AD519A7600C379A945CFA4
                                          Function 00F9B219 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 871 f9b219-f9b260 872 f9b268-f9b297 LoadLibraryExW 871->872 873 f9b262-f9b265 871->873 874 f9b299-f9b29f 872->874 875 f9b2a0-f9b2bd 872->875 873->872 874->875
                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F9B079,00000800,00000000,00000000), ref: 00F9B28A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049203243.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f90000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 204d844f5cf5a4a9c40c3840992f61deb42330b428ae3a67d77a47ac4ad947d3
                                          • Instruction ID: b31d3150132f46e5076ed9f9e3979fdd9bea8bfe9694d6cdcfb7ef1b98b44c10
                                          • Opcode Fuzzy Hash: 204d844f5cf5a4a9c40c3840992f61deb42330b428ae3a67d77a47ac4ad947d3
                                          • Instruction Fuzzy Hash: C21123B6C042488FDB10CF9AD544ADEFBF4EF89320F10842AD519A7200C379A545CFA4
                                          Function 02913480 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 878 2913480-2913486 879 2913488-29134ed FindCloseChangeNotification 878->879 880 29134f6-291351e 879->880 881 29134ef-29134f5 879->881 881->880
                                          APIs
                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 029134E0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049818772.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2910000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID: ChangeCloseFindNotification
                                          • String ID:
                                          • API String ID: 2591292051-0
                                          • Opcode ID: 4eeaedf4edf4784101fd0f672d570bdc6e16622544fedb29e914f941bbd56ba6
                                          • Instruction ID: 8a3598893402ffa241da1ca9af16af25220269d183d696c19b842ae8591a24ec
                                          • Opcode Fuzzy Hash: 4eeaedf4edf4784101fd0f672d570bdc6e16622544fedb29e914f941bbd56ba6
                                          • Instruction Fuzzy Hash: 211125B18007498FCB20DF9AC545BDEBBF4EB48320F20845AD959A7740C779A544CFA5
                                          Function 02911448 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 884 2911448-29114ba PostMessageW 886 29114c3-29114d7 884->886 887 29114bc-29114c2 884->887 887->886
                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 029114AD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049818772.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2910000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 6cc66adaeb88ec6f57b8248fc6a97dc8f19a8fa32626b487a2caa3f7ca4c4b1d
                                          • Instruction ID: cb8935ff2b5ec08142eaa5b31fc4e822bc691a3df51037238a492649be427d3e
                                          • Opcode Fuzzy Hash: 6cc66adaeb88ec6f57b8248fc6a97dc8f19a8fa32626b487a2caa3f7ca4c4b1d
                                          • Instruction Fuzzy Hash: B011E3B58003499FCB10DF9AD985BDEFBF8EB49720F108459D559A7240C375A584CFA1
                                          Function 02913488 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 029134E0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049818772.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2910000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID: ChangeCloseFindNotification
                                          • String ID:
                                          • API String ID: 2591292051-0
                                          • Opcode ID: 76b142fb07c2d8716e20941643550da9f878fe8b7e2df1af87fe98a9e41e68c5
                                          • Instruction ID: 7a3e1d99416226eccc251191fb3637b6186840f1570d1a3b2c7426e329c63293
                                          • Opcode Fuzzy Hash: 76b142fb07c2d8716e20941643550da9f878fe8b7e2df1af87fe98a9e41e68c5
                                          • Instruction Fuzzy Hash: F81133B18003498FCB20DF9AC545BDEBBF8EB48320F20845AD958A7240C739A544CFA5
                                          Function 00F9AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00F9AFFE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049203243.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f90000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: eb7794fb0920188f4691302d8d251a3b21b6e34e858bcbc85bd1d2219324f294
                                          • Instruction ID: 35c5a7d591297fd1e6efcb7e13a2ac64f90bdbf80dbf15134f3962498d59b4f7
                                          • Opcode Fuzzy Hash: eb7794fb0920188f4691302d8d251a3b21b6e34e858bcbc85bd1d2219324f294
                                          • Instruction Fuzzy Hash: 101110B6C002498FDB20CF9AD444ADEFBF4EF88324F10841AD529A7210C379A545CFA1
                                          Function 02911450 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 029114AD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049818772.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2910000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 4ccb82ec3aece2755a33f992b34ed355da330adb90ec65e2ec875e97aa530e12
                                          • Instruction ID: a27484fa0dda282863d89f86e4082826616bbc8b1dc0d9a4c4627ddbb9a67576
                                          • Opcode Fuzzy Hash: 4ccb82ec3aece2755a33f992b34ed355da330adb90ec65e2ec875e97aa530e12
                                          • Instruction Fuzzy Hash: F611E2B58003499FDB10DF9AD985BDEFBF8FB48724F10845AE619A7240C379A944CFA1
                                          Function 00EFD1FC Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2048847857.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_efd000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 63594dfd3accf05e50718fad106b083829735ebf3fe66dc2720b1cafdd1f8238
                                          • Instruction ID: efad9a6fe41ef9186280505af9f4f58706b9facb4794082b2013cc479bce13fb
                                          • Opcode Fuzzy Hash: 63594dfd3accf05e50718fad106b083829735ebf3fe66dc2720b1cafdd1f8238
                                          • Instruction Fuzzy Hash: 4421F771508208DFEB05DF54DDC0B26BF66FB88314F20C569EA051B266C336D816DBA1
                                          Function 00F0D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2048917286.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f0d000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 175e317c5f238c9d9e6df678853c01b05345fd8117d0d33ecfbe928f91170834
                                          • Instruction ID: 931567b0a2c132196f80f3180c7c0d61e6d57b32459eb56d38a0b015d135d6c8
                                          • Opcode Fuzzy Hash: 175e317c5f238c9d9e6df678853c01b05345fd8117d0d33ecfbe928f91170834
                                          • Instruction Fuzzy Hash: 6221F271604204DFDB14DF64D984B26BF65FB88324F20C569D94E4B29AC33AD807EA62
                                          Function 00F0D1EC Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2048917286.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f0d000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 93bba48f9f1477c35c3f9bec18889c24c0d6f0d2b14682d0f71df719f0aad6cd
                                          • Instruction ID: 8a13491e6feb00153394a511d37e8c7eaf20f6e1d2b85278da5806ad5466dc8e
                                          • Opcode Fuzzy Hash: 93bba48f9f1477c35c3f9bec18889c24c0d6f0d2b14682d0f71df719f0aad6cd
                                          • Instruction Fuzzy Hash: A221F275944204DFCB04DF94D9C0B26BB65FB98324F20C56DD8094B296C37AD846FAA1
                                          Function 00F0D005 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2048917286.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f0d000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6bdedb4ce924824aaf109084802610ce81156c0e7e955036bcbf28c0dc85c7b3
                                          • Instruction ID: 588c4051fbecb60cf37c51b31b2597511ffb2fc77f2d9165ad012639ab688ea1
                                          • Opcode Fuzzy Hash: 6bdedb4ce924824aaf109084802610ce81156c0e7e955036bcbf28c0dc85c7b3
                                          • Instruction Fuzzy Hash: 3B2192755093C08FCB02CF24D994715BF71EB46324F28C5EAD8498F6A7C33A980ADB62
                                          Function 00EFD1F7 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2048847857.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_efd000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                                          • Instruction ID: f0134f46bd1774ee148544fd3ff3a2103bc5c44182a5f6a558db6e4c27ce2a74
                                          • Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                                          • Instruction Fuzzy Hash: 4721E476404244CFDB06CF00D9C4B26BF72FB84314F24C5A9DD040B266C336D416CBA1
                                          Function 00F0D1E7 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2048917286.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f0d000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                          • Instruction ID: cd88c3e968c5f3add00208115b66c4b05e0ce8ec3bfcf392acfeff4eb145e65c
                                          • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                          • Instruction Fuzzy Hash: C3118E75904240DFDB05CF54D5C4B15FB61FB44324F24C6A9D8494B696C33AD84AEBA1
                                          Function 00EFD745 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2048847857.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_efd000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc79c7d83862ff927a91f388081bc1e93a27a8493488087591711163a2ac7550
                                          • Instruction ID: 81953ddd37cfcc902901504c8e4333c41d10579e123caeca400aea8417bba680
                                          • Opcode Fuzzy Hash: cc79c7d83862ff927a91f388081bc1e93a27a8493488087591711163a2ac7550
                                          • Instruction Fuzzy Hash: 9201F7310083489AE720AA16CD84BB6BF9CEF46324F18C52BEE095E2D6D2799801CA71
                                          Function 00EFD744 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2048847857.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_efd000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1465da9d421a3d3aebf8c0fc2286115aed614d867aa1f56d09a4c564ac8c6040
                                          • Instruction ID: 546370d0e2d019658c65af6d01c51833aecbd4a09d2f7220ce7439594c4130a1
                                          • Opcode Fuzzy Hash: 1465da9d421a3d3aebf8c0fc2286115aed614d867aa1f56d09a4c564ac8c6040
                                          • Instruction Fuzzy Hash: 43F0C2714083449AE7109E16CC88B62FF98EF96338F18C45AEE085F2D6C2799840CAB0

                                          Non-executed Functions

                                          Function 02912D28 Relevance: .5, Instructions: 493COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049818772.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2910000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 690246cb11f69d301fab1b89d45e0f44019c64fa9e5d20c2c16c19a4f2019a0e
                                          • Instruction ID: a84ddb9436d9df28d7291d5b8ef4bed9ded17ef003828eb3226e311e25db762b
                                          • Opcode Fuzzy Hash: 690246cb11f69d301fab1b89d45e0f44019c64fa9e5d20c2c16c19a4f2019a0e
                                          • Instruction Fuzzy Hash: 6EF12131A017589FDB19EB7AC8507AE7BFAAF89304F1444AED505CB2A1DF38D902CB51
                                          Function 00F9D364 Relevance: .3, Instructions: 264COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049203243.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f90000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2ddc4d95d42fd11d4b3ee0fba4fb30aca48bf83148731f03479898a4a42717ba
                                          • Instruction ID: 2cd9a857f6f63395fcf6409dcd764a7e991b09cf044d30a1c7425e40f1260888
                                          • Opcode Fuzzy Hash: 2ddc4d95d42fd11d4b3ee0fba4fb30aca48bf83148731f03479898a4a42717ba
                                          • Instruction Fuzzy Hash: CAA18D36E002098FDF05DFB4C84459EB7B6FF85314B25857AE901EB262DB35D91ADB40
                                          Function 0291075F Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049818772.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2910000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fb4c066f018d205505f95cf17c23d9b97ddb4b8981d73c64632850e16ae90f91
                                          • Instruction ID: 7da86f1bd5a0bc05bf3f672e8c1f1509f5643882d7df0adb1d4e465100419cf7
                                          • Opcode Fuzzy Hash: fb4c066f018d205505f95cf17c23d9b97ddb4b8981d73c64632850e16ae90f91
                                          • Instruction Fuzzy Hash: 03E0ED38D5921CCBCB108F46E8496F8BB78EB4F311F0164A6980EA3251CB324AC5CF40

                                          Execution Graph

                                          Execution Coverage:12%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:27
                                          Total number of Limit Nodes:5
                                          execution_graph 30968 6a24738 30970 6a2479d 30968->30970 30969 6a24c00 WaitMessage 30969->30970 30970->30969 30971 6a247ea 30970->30971 30972 1350848 30974 135084e 30972->30974 30973 135091b 30974->30973 30977 135144b 30974->30977 30982 1351340 30974->30982 30978 1351356 30977->30978 30979 1351444 30978->30979 30981 135144b GlobalMemoryStatusEx 30978->30981 30987 1357059 30978->30987 30979->30974 30981->30978 30984 1351356 30982->30984 30983 1351444 30983->30974 30984->30983 30985 135144b GlobalMemoryStatusEx 30984->30985 30986 1357059 GlobalMemoryStatusEx 30984->30986 30985->30984 30986->30984 30988 1357063 30987->30988 30989 1357119 30988->30989 30992 626d278 30988->30992 30996 626d288 30988->30996 30989->30978 30993 626d29d 30992->30993 30994 626d4ae 30993->30994 30995 626d4ca GlobalMemoryStatusEx 30993->30995 30994->30989 30995->30993 30997 626d29d 30996->30997 30998 626d4ae 30997->30998 30999 626d4ca GlobalMemoryStatusEx 30997->30999 30998->30989 30999->30997

                                          Executed Functions

                                          Function 01359BB0 Relevance: 3.1, Instructions: 3093COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c322c71477a6b299f9532837422406b355c8818cb26dc1990830fba84b8083d8
                                          • Instruction ID: f0c125611ea6ebaead111351a751636723130af4bc919a2206d967eebeced8b4
                                          • Opcode Fuzzy Hash: c322c71477a6b299f9532837422406b355c8818cb26dc1990830fba84b8083d8
                                          • Instruction Fuzzy Hash: EF632B31D10B1A8ADB11EF68C840AA9F7B1FF99304F15D79AE45877121EB70AAD4CF81
                                          Function 0135CFD0 Relevance: 2.2, Instructions: 2224COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b07d8bd0230dee391265c2856b39beb38a9c7c24cfc49a398c1d8d51d282b1a
                                          • Instruction ID: 17d65d918370a6321b17a6856341a036d9630c5c902487a7e04f2ad2f0f2db33
                                          • Opcode Fuzzy Hash: 6b07d8bd0230dee391265c2856b39beb38a9c7c24cfc49a398c1d8d51d282b1a
                                          • Instruction Fuzzy Hash: E7332F31D107198EDB11EF68C890AADF7B1FF99304F15C79AE449A7221EB70AAC5CB41
                                          Function 06A24738 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2863 6a24738-6a2479b 2864 6a247ca-6a247e8 2863->2864 2865 6a2479d-6a247c7 2863->2865 2870 6a247f1-6a24828 2864->2870 2871 6a247ea-6a247ec 2864->2871 2865->2864 2875 6a24c59 2870->2875 2876 6a2482e-6a24842 2870->2876 2873 6a24caa-6a24cbf 2871->2873 2879 6a24c5e-6a24c74 2875->2879 2877 6a24871-6a24890 2876->2877 2878 6a24844-6a2486e 2876->2878 2885 6a24892-6a24898 2877->2885 2886 6a248a8-6a248aa 2877->2886 2878->2877 2879->2873 2887 6a2489a 2885->2887 2888 6a2489c-6a2489e 2885->2888 2889 6a248c9-6a248d2 2886->2889 2890 6a248ac-6a248c4 2886->2890 2887->2886 2888->2886 2892 6a248da-6a248e1 2889->2892 2890->2879 2893 6a248e3-6a248e9 2892->2893 2894 6a248eb-6a248f2 2892->2894 2897 6a248ff-6a2491c call 6a237c8 2893->2897 2895 6a248f4-6a248fa 2894->2895 2896 6a248fc 2894->2896 2895->2897 2896->2897 2900 6a24922-6a24929 2897->2900 2901 6a24a71-6a24a75 2897->2901 2900->2875 2902 6a2492f-6a2496c 2900->2902 2903 6a24c44-6a24c57 2901->2903 2904 6a24a7b-6a24a7f 2901->2904 2912 6a24972-6a24977 2902->2912 2913 6a24c3a-6a24c3e 2902->2913 2903->2879 2905 6a24a81-6a24a94 2904->2905 2906 6a24a99-6a24aa2 2904->2906 2905->2879 2908 6a24ad1-6a24ad8 2906->2908 2909 6a24aa4-6a24ace 2906->2909 2910 6a24b77-6a24b8c 2908->2910 2911 6a24ade-6a24ae5 2908->2911 2909->2908 2910->2913 2925 6a24b92-6a24b94 2910->2925 2915 6a24ae7-6a24b11 2911->2915 2916 6a24b14-6a24b36 2911->2916 2917 6a249a9-6a249be call 6a237ec 2912->2917 2918 6a24979-6a24987 call 6a237d4 2912->2918 2913->2892 2913->2903 2915->2916 2916->2910 2953 6a24b38-6a24b42 2916->2953 2923 6a249c3-6a249c7 2917->2923 2918->2917 2932 6a24989-6a249a2 call 6a237e0 2918->2932 2928 6a24a38-6a24a45 2923->2928 2929 6a249c9-6a249db call 6a237f8 2923->2929 2930 6a24be1-6a24bfe call 6a237c8 2925->2930 2931 6a24b96-6a24bcf 2925->2931 2928->2913 2944 6a24a4b-6a24a55 call 6a23808 2928->2944 2956 6a24a1b-6a24a33 2929->2956 2957 6a249dd-6a24a0d 2929->2957 2930->2913 2943 6a24c00-6a24c2c WaitMessage 2930->2943 2947 6a24bd1-6a24bd7 2931->2947 2948 6a24bd8-6a24bdf 2931->2948 2942 6a249a7 2932->2942 2942->2923 2950 6a24c33 2943->2950 2951 6a24c2e 2943->2951 2959 6a24a57-6a24a5f call 6a23814 2944->2959 2960 6a24a64-6a24a6c call 6a23820 2944->2960 2947->2948 2948->2913 2950->2913 2951->2950 2964 6a24b44-6a24b4a 2953->2964 2965 6a24b5a-6a24b75 2953->2965 2956->2879 2971 6a24a14 2957->2971 2972 6a24a0f 2957->2972 2959->2913 2960->2913 2969 6a24b4e-6a24b50 2964->2969 2970 6a24b4c 2964->2970 2965->2910 2965->2953 2969->2965 2970->2965 2971->2956 2972->2971
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4494349356.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_6a20000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5ec8e8ea7700cb50178c741042e1345419fb00e18dfc8443449566b5b31d8b68
                                          • Instruction ID: b94b6afd71de7e11a55b5a8f7e0520b760f485c2ddc5c5ed863a990b1b605373
                                          • Opcode Fuzzy Hash: 5ec8e8ea7700cb50178c741042e1345419fb00e18dfc8443449566b5b31d8b68
                                          • Instruction Fuzzy Hash: F1F14B30E4021ACFDB54EFA9C944BADBBF1FF48304F158568E409AF265DB75A945CB80
                                          Function 013593F8 Relevance: .6, Instructions: 626COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 34aeaef65497d23ca24a782f2723738905618d735ea3f4eed2913ae9a327acd6
                                          • Instruction ID: b738d2dfa6fa90432a2b286bd946976973b359c1103a4e00f2aa0c0ca0a51525
                                          • Opcode Fuzzy Hash: 34aeaef65497d23ca24a782f2723738905618d735ea3f4eed2913ae9a327acd6
                                          • Instruction Fuzzy Hash: 9A32BC34A00204CFDB55DF68D884BADBBB6EF88718F148569E80ADB396DB34DC46CB51
                                          Function 01354A58 Relevance: .3, Instructions: 266COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8ba57bf6be48c2b0234e16d33bfda604ce7bb143c9043deee04f385997abd702
                                          • Instruction ID: a1d0eae3d7e62ca3f8ef5af8c568c96f44d5153f4dfd7f64503e9e4b974d0648
                                          • Opcode Fuzzy Hash: 8ba57bf6be48c2b0234e16d33bfda604ce7bb143c9043deee04f385997abd702
                                          • Instruction Fuzzy Hash: 00B17F70E002099FDF58CFA9C985BDDBBF2AF88718F148129D859E7254FB749881CB81
                                          Function 01353E40 Relevance: .2, Instructions: 238COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1d085ec9e9df3755af11a3557417bbcae430e1dcdf2266bf2a0cb04a2bfe9be8
                                          • Instruction ID: fabebeebf158890920d71a09573ca2b4c917dd3b74a3f3f7a51b3def7d0edeb6
                                          • Opcode Fuzzy Hash: 1d085ec9e9df3755af11a3557417bbcae430e1dcdf2266bf2a0cb04a2bfe9be8
                                          • Instruction Fuzzy Hash: A0917170E00209DFDF54CFA9C985B9DBBF2BF88758F148129E819A7254EB749885CB81
                                          Function 01356EAB Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2301 1356eab-1356ebe 2302 1356ec4-1356ec6 2301->2302 2303 1356f39-1356f55 2302->2303 2304 1356ec8-1356f0a call 1356c08 2302->2304 2306 1356f57-1356f5a 2303->2306 2337 1356f26-1356f30 2304->2337 2338 1356f0c-1356f25 call 135634c 2304->2338 2308 1356f5c-1356f63 2306->2308 2309 1356f6e-1356f71 2306->2309 2310 1356f69 2308->2310 2311 1357168-135716f 2308->2311 2312 1356f81-1356f84 2309->2312 2313 1356f73 2309->2313 2310->2309 2315 1356fb7-1356fba 2312->2315 2316 1356f86-1356f9a 2312->2316 2346 1356f73 call 1357998 2313->2346 2347 1356f73 call 1357988 2313->2347 2317 1356ff6-1356ff8 2315->2317 2318 1356fbc-1356ff1 2315->2318 2325 1356fa0 2316->2325 2326 1356f9c-1356f9e 2316->2326 2321 1356fff-1357002 2317->2321 2322 1356ffa 2317->2322 2318->2317 2319 1356f79-1356f7c 2319->2312 2321->2306 2324 1357008-1357017 2321->2324 2322->2321 2332 1357041-1357056 2324->2332 2333 1357019-135701c 2324->2333 2327 1356fa3-1356fb2 2325->2327 2326->2327 2327->2315 2332->2311 2336 1357024-135703f 2333->2336 2336->2332 2336->2333 2337->2302 2344 1356f32-1356f38 2337->2344 2344->2303 2346->2319 2347->2319
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LR]q$LR]q
                                          • API String ID: 0-3917262905
                                          • Opcode ID: 3344236e1e7bd7c862ae9df351d1284ffbce984325da9b7b8a76dada6718ab42
                                          • Instruction ID: 1f723162a95b20c5843d1189d4ea1ed10a2b97899364c2f72af0cf0b49ee9f90
                                          • Opcode Fuzzy Hash: 3344236e1e7bd7c862ae9df351d1284ffbce984325da9b7b8a76dada6718ab42
                                          • Instruction Fuzzy Hash: 3E512770E102099FDB56CF79C855BAEBBB2EF85708F908469E805EB341DB74D846CB41
                                          Function 0135F43D Relevance: 2.6, Strings: 2, Instructions: 111COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2348 135f43d-135f444 2349 135f446-135f46b 2348->2349 2350 135f42d-135f434 2348->2350 2351 135f46d-135f470 2349->2351 2352 135f493-135f495 2351->2352 2353 135f472-135f48e 2351->2353 2354 135f497 2352->2354 2355 135f49c-135f49f 2352->2355 2353->2352 2354->2355 2355->2351 2357 135f4a1-135f4c7 2355->2357 2362 135f4ce-135f4fc 2357->2362 2367 135f573-135f597 2362->2367 2368 135f4fe-135f508 2362->2368 2376 135f5a1 2367->2376 2377 135f599 2367->2377 2371 135f520-135f571 2368->2371 2372 135f50a-135f510 2368->2372 2371->2367 2371->2368 2374 135f514-135f516 2372->2374 2375 135f512 2372->2375 2374->2371 2375->2371 2379 135f5a2 2376->2379 2377->2376 2379->2379
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH]q$]
                                          • API String ID: 0-1571398443
                                          • Opcode ID: deed502b44133ebb61e3444d4c2f8d9dfc0a8a376154d01f5044c2ee9cd73345
                                          • Instruction ID: 7388356069d412c9375bee467897f34e0ae78adfd4ea808cf63c2b3fd50fc887
                                          • Opcode Fuzzy Hash: deed502b44133ebb61e3444d4c2f8d9dfc0a8a376154d01f5044c2ee9cd73345
                                          • Instruction Fuzzy Hash: 264132307042058FDB56AF38D518A6E3BFAAF85648F144978E806DB34ADF39CC02CB91
                                          Function 0626E088 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4493766129.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_6260000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 50bd6777e4a0da177f5c8f947d32d4300651afcd563ffda1a3be2f3dc22a6765
                                          • Instruction ID: e6668003043e6f840a070cad7130aa5e1cf175a732b7152fe95923e6b4d14f61
                                          • Opcode Fuzzy Hash: 50bd6777e4a0da177f5c8f947d32d4300651afcd563ffda1a3be2f3dc22a6765
                                          • Instruction Fuzzy Hash: EA412571E143958FC704CFA9D8542EEBBF5EF89310F1586AAE804E7241DB789885CBD0
                                          Function 0626E170 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE(00000025), ref: 0626E1D7
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4493766129.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_6260000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: 303499c2decf1bbcfbf44c55296e74db50fbc8ce4f951ac3f22bf7ae7a52a307
                                          • Instruction ID: 203f1a60ca6efc874800be5c5a3067e7bbbf60f0352201057186eb12db994a1f
                                          • Opcode Fuzzy Hash: 303499c2decf1bbcfbf44c55296e74db50fbc8ce4f951ac3f22bf7ae7a52a307
                                          • Instruction Fuzzy Hash: 0B1112B5C006599BCB10DF9AD444B9EFBF4EF48320F11816AE818A7240D378A940CFE1
                                          Function 0135F450 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH]q
                                          • API String ID: 0-3168235125
                                          • Opcode ID: 9238b5f009f206c985f0c2f4c3df413ac2bfd2ed8c676ba97beda5f9313ed4cf
                                          • Instruction ID: c027fe416dc68962ace64f489edba666d980c70b3b8aa5b675649b19aa326902
                                          • Opcode Fuzzy Hash: 9238b5f009f206c985f0c2f4c3df413ac2bfd2ed8c676ba97beda5f9313ed4cf
                                          • Instruction Fuzzy Hash: 03310430B002058FDB59AF38D514A6E3BEBAF85648F204938E806DB399DF75DD06C791
                                          Function 01356F40 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LR]q
                                          • API String ID: 0-3081347316
                                          • Opcode ID: a21ff3696e4d34f4e617ceedc578bcde8ab944d3a7b2e5ab9007a6690732d17b
                                          • Instruction ID: 139f6581adba7de383575f827f1e6684205bed981ae2eddfc28ea9d0f6ae1ca8
                                          • Opcode Fuzzy Hash: a21ff3696e4d34f4e617ceedc578bcde8ab944d3a7b2e5ab9007a6690732d17b
                                          • Instruction Fuzzy Hash: 0B319275E102099BDF65CFA9C841BAEB7B6FF85708F908529E805EB241DBB0D846CB41
                                          Function 01356B58 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LR]q
                                          • API String ID: 0-3081347316
                                          • Opcode ID: daadb640322b24b5ca9c4a5dd9afb2427c63c9775a7a4fe5c8cbee749e8bae34
                                          • Instruction ID: f28455bd7d5a1db4d0fa8b1aa10af78edbea5c344463ef6e3453aec0b5f11f93
                                          • Opcode Fuzzy Hash: daadb640322b24b5ca9c4a5dd9afb2427c63c9775a7a4fe5c8cbee749e8bae34
                                          • Instruction Fuzzy Hash: 3721D6316092805FC707AB7A982969E3FF5DF86214B0544EED045CB3A7EA698C09C792
                                          Function 01357988 Relevance: .6, Instructions: 553COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8bf21d7613f6b28760f18b64442f9df2536367b0f072ea232817fda3a58eb1b4
                                          • Instruction ID: a25b6a6885bc7eafcea9912e4ac104f3166e0c19d248c2a61ec566c2dc205fe1
                                          • Opcode Fuzzy Hash: 8bf21d7613f6b28760f18b64442f9df2536367b0f072ea232817fda3a58eb1b4
                                          • Instruction Fuzzy Hash: F4127330700201CFDB65AB38E989A2C36ABEF85358B50493DE905CB355CF79EC8AD795
                                          Function 01357998 Relevance: .6, Instructions: 550COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1ffbd0d21362c0f2b613d20b09c7b31afd585194ddac621ad888d782437b37b6
                                          • Instruction ID: 2320da6aee6d58e0a8783653e0799c5966e938a0f496adfc0296000f6c0295de
                                          • Opcode Fuzzy Hash: 1ffbd0d21362c0f2b613d20b09c7b31afd585194ddac621ad888d782437b37b6
                                          • Instruction Fuzzy Hash: 44127230700201CFDB65AB3CE889A2C36ABEF85758B504939E905CB355CF79EC8AD795
                                          Function 01354A4D Relevance: .3, Instructions: 259COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f3d08248958d663c0d9116eaedac513f781f4f892e51a8cb8889ed7ac2135b00
                                          • Instruction ID: 3e713ab41a4bd2997131b9b028fbcc4ad8e5c880e7760f893c3aea52b8e7bb00
                                          • Opcode Fuzzy Hash: f3d08248958d663c0d9116eaedac513f781f4f892e51a8cb8889ed7ac2135b00
                                          • Instruction Fuzzy Hash: 47A16C70E00209DFDF58CFA8D985BDDBBF1AF88B18F148129D859E7254EB749885CB81
                                          Function 013593E4 Relevance: .2, Instructions: 240COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5c36e9215ec6e53e26831cabb7d8fe81282558a16f81ce55b6f22164be4fa3ba
                                          • Instruction ID: 62cb258296038e87eaa21ddd8064f9086a9989c897a34a545723ee06ae7d2497
                                          • Opcode Fuzzy Hash: 5c36e9215ec6e53e26831cabb7d8fe81282558a16f81ce55b6f22164be4fa3ba
                                          • Instruction Fuzzy Hash: C8916D34A00208CFCB55DF69D584AADBBF6EF88718F248565E806EB365DB34EC46CB50
                                          Function 01353E34 Relevance: .2, Instructions: 236COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c13b6815c1f8d4768ee17d802b52294754f4365fd919dd554e7b6300bf973170
                                          • Instruction ID: b2495802e6ea8d710e6667edae3d3ababe40338f82a8ccbbbc3e663e04addbf7
                                          • Opcode Fuzzy Hash: c13b6815c1f8d4768ee17d802b52294754f4365fd919dd554e7b6300bf973170
                                          • Instruction Fuzzy Hash: CBA17D70E00209DFDF54CFA8C985BEDBBF1BF88758F148129E818A7254EB749885CB91
                                          Function 013547C4 Relevance: .2, Instructions: 181COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7c19ab7c73aa6bc46ff69a95adac4a564bd9c9e222c958e43af3f699317875b6
                                          • Instruction ID: 73817151014dcbc24a0c0381261e43929e27c04428c0a1a798ed9827238230f2
                                          • Opcode Fuzzy Hash: 7c19ab7c73aa6bc46ff69a95adac4a564bd9c9e222c958e43af3f699317875b6
                                          • Instruction Fuzzy Hash: 0E716E70E00249DFDB58CFA9D885BDDBFF1BF88718F148129D819A7254E7749881CB91
                                          Function 013547D0 Relevance: .2, Instructions: 180COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a452458ad8405b185ac48a419c191da3921823e1a75e54e031699355cd45846d
                                          • Instruction ID: 28d96259311c0d1823f5fd928653e3d2281aaee48fedd417bcfcc0c9c4d48487
                                          • Opcode Fuzzy Hash: a452458ad8405b185ac48a419c191da3921823e1a75e54e031699355cd45846d
                                          • Instruction Fuzzy Hash: 5F716070E00249DFDB58CFA9D885B9DBFF1BF88718F148129D819A7254EB749881CB91
                                          Function 01356CA4 Relevance: .1, Instructions: 136COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b309a1e1e87426df7ffbdcb68aa8af8398048ac5c190753e36c6231329ccea1c
                                          • Instruction ID: fcf171b13b4158b62491cc30fdc476d989d0e94157df806db5473ea9de5834cd
                                          • Opcode Fuzzy Hash: b309a1e1e87426df7ffbdcb68aa8af8398048ac5c190753e36c6231329ccea1c
                                          • Instruction Fuzzy Hash: B05143B4E002188FDB58CFA9C895B9DBBF1FF48718F548519E819AB390C774A844CF91
                                          Function 01356CB0 Relevance: .1, Instructions: 132COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b44185eb69023ae4cbb86a6d27106000e4073c091a3d8b97f73c84b84fa9eeba
                                          • Instruction ID: d8d0a42e7a381a5583feb742aef23d9946412bc9657723afcc702f3b1d57b56a
                                          • Opcode Fuzzy Hash: b44185eb69023ae4cbb86a6d27106000e4073c091a3d8b97f73c84b84fa9eeba
                                          • Instruction Fuzzy Hash: 1B5123B4E002188FDB58CFA9C885B9DBBF1FF48718F548519E819AB390DB74A844CF95
                                          Function 01351128 Relevance: .1, Instructions: 107COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 07b0d30e1583279cf8bb3c65bfecd16597bc51d21688263abb44957a59989491
                                          • Instruction ID: e624d0f2f65376ec4fa33e61d10941de498bb00e4515387514caba9bd718b8f9
                                          • Opcode Fuzzy Hash: 07b0d30e1583279cf8bb3c65bfecd16597bc51d21688263abb44957a59989491
                                          • Instruction Fuzzy Hash: B851D932A032458FCB1AEF28FD809563F6DFF553043008A69D0415B73EDB64792ADB91
                                          Function 01351138 Relevance: .1, Instructions: 100COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ef703c03d510823d3d7c1b1e9ac4cf68d9ab03377cfed7c99ec7386510fcd1c4
                                          • Instruction ID: 83b1cdf5b5f95ea3bfad74cc938298e80537291c0bea83f10b673702a55bf442
                                          • Opcode Fuzzy Hash: ef703c03d510823d3d7c1b1e9ac4cf68d9ab03377cfed7c99ec7386510fcd1c4
                                          • Instruction Fuzzy Hash: 9D41C632A031458FCB1AFF28FD809663F6DFB953043008A69D0455B73EDBA4792ADB91
                                          Function 0135F301 Relevance: .1, Instructions: 96COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4a6d2a86f1593f358b395f895dea7251869e25e025aea043f4a54f0109862de3
                                          • Instruction ID: 45f722b0d89f5025697bc95576102d81058901eda43a1bf5995c0eb6f00be8eb
                                          • Opcode Fuzzy Hash: 4a6d2a86f1593f358b395f895dea7251869e25e025aea043f4a54f0109862de3
                                          • Instruction Fuzzy Hash: 1D319231E006058BDB55DF65D494A9EBBFAEF89304F108929EC06E7751DB30EC46CB40
                                          Function 0135269C Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3f7244e5a72ad451042c97189b4c8455f1fe52ab64bd64f1364c2603d5ff17de
                                          • Instruction ID: aa15f5f7c8a5e4eaee6ac9e934fee4876a281821d516523d30b1d86d2905abcc
                                          • Opcode Fuzzy Hash: 3f7244e5a72ad451042c97189b4c8455f1fe52ab64bd64f1364c2603d5ff17de
                                          • Instruction Fuzzy Hash: 2241FEB4D00349DFDB14DFA9C484ADEBFB5FF48704F24802AE809AB254DB75A949CB90
                                          Function 01355058 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c96e6fc982c03985ea49acf7766a2726031c1547734d8a2a54ad1498f1e8a8d
                                          • Instruction ID: 995532303568ca9bd567553ba1ca5d70d403b0a060d97a0932f4184a687fd9fc
                                          • Opcode Fuzzy Hash: 4c96e6fc982c03985ea49acf7766a2726031c1547734d8a2a54ad1498f1e8a8d
                                          • Instruction Fuzzy Hash: 85316D31B01245CFDF95EB78C450AAE7BB2AF89708F10046CD902AB765DB369D06CB90
                                          Function 0135F310 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b3f0b7d088bdc412da9d614292344709321f6ccb167ab5bbe211ff525509f002
                                          • Instruction ID: b84bc3a0bf7f3f44e405bcac158e806190f053d5c0669c7ad30f7600a0375988
                                          • Opcode Fuzzy Hash: b3f0b7d088bdc412da9d614292344709321f6ccb167ab5bbe211ff525509f002
                                          • Instruction Fuzzy Hash: EB318031E006098BDB55DF69D894A9EBBBAEF89704F108929EC06E7351DB70EC46CB50
                                          Function 013526A8 Relevance: .1, Instructions: 90COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b183bfb43056a0b8f7c8b7c2d9334ee7b7021fb104fce032fa3b250b8891d253
                                          • Instruction ID: 55d9c74066304e59b33164532bbbedcf21366f68ee9c2a5979ff05e5624e44b0
                                          • Opcode Fuzzy Hash: b183bfb43056a0b8f7c8b7c2d9334ee7b7021fb104fce032fa3b250b8891d253
                                          • Instruction Fuzzy Hash: 6D410EB4D00348DFDB14DFA9C484ADEBFB5FF48714F208029E809AB254DB75A949CB90
                                          Function 01355068 Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c717e5d7764ffe32ad6ff022de757a25d7fcdfb270b53c99fcadd48d754fe319
                                          • Instruction ID: aa9a735b7baa9dcdbfe907ed3cbbcbcefaf2e8892eb7bc036f5a6663f048b357
                                          • Opcode Fuzzy Hash: c717e5d7764ffe32ad6ff022de757a25d7fcdfb270b53c99fcadd48d754fe319
                                          • Instruction Fuzzy Hash: 0C316B31B00205CFDF94EB68C550AAE77B6AF48748F100468C802AB7A4DB36DD01CB90
                                          Function 013592D0 Relevance: .1, Instructions: 83COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7a2850d3ee7940edc7675ac966fe857b45fb3522ee3283047f7210d521148c12
                                          • Instruction ID: 4d98fd6ba4c518662fc467ceee852a35c3f2ecd582c78e49622542ad19ed8e7c
                                          • Opcode Fuzzy Hash: 7a2850d3ee7940edc7675ac966fe857b45fb3522ee3283047f7210d521148c12
                                          • Instruction Fuzzy Hash: 2A31A231E00209DBDB45CF65D450B9EFBB6AF85308F148519EC05EB356DB719846CB41
                                          Function 01351660 Relevance: .1, Instructions: 83COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3b3e977867808113efdeffb10717dcbdb36d2eee49ed6a05e46f78bb50b75e43
                                          • Instruction ID: 853db9d013cc6528b519df3dcfcf7775b2a32cee52c20c4622b2094a40715e74
                                          • Opcode Fuzzy Hash: 3b3e977867808113efdeffb10717dcbdb36d2eee49ed6a05e46f78bb50b75e43
                                          • Instruction Fuzzy Hash: ED21F7356011014FDB63AB3CF884F693769EB45718F140AB1D80ACB26AD768DC55CBA2
                                          Function 01357059 Relevance: .1, Instructions: 82COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2701eaeeab340b59d039a500c74e17817f8f96f1e82752a4965cbcec1af5160e
                                          • Instruction ID: 9ad11d1cf3e56a8384020c700307e1d0a625edb22f7eb5468f423238f81cd83e
                                          • Opcode Fuzzy Hash: 2701eaeeab340b59d039a500c74e17817f8f96f1e82752a4965cbcec1af5160e
                                          • Instruction Fuzzy Hash: 86212135700214DFD709EB78D85862D77ABEFC8704B10886CE50A9B3A9CF359C56CB91
                                          Function 013592E0 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 490b9ddc2e5072d9c733877b5261723b3b96aa1d8966281c527255df890411a4
                                          • Instruction ID: edeab7a3ee00e3721242e64cc96960b4ad0c2fdae5c36404f6f1463e98858308
                                          • Opcode Fuzzy Hash: 490b9ddc2e5072d9c733877b5261723b3b96aa1d8966281c527255df890411a4
                                          • Instruction Fuzzy Hash: 5F217131A00209DBDB45CF69D884B9EF7B6AF89308F14D619EC05EB352DB709845CB91
                                          Function 0135144B Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4121a1bf6bd76b090983c6ea55e5808db441377a539f07e06736093bcfd1d93b
                                          • Instruction ID: 0d825aebe8b4c554e94eb2fa933e79aa2240953f4267828d6fe4b2cb18ed29e0
                                          • Opcode Fuzzy Hash: 4121a1bf6bd76b090983c6ea55e5808db441377a539f07e06736093bcfd1d93b
                                          • Instruction Fuzzy Hash: E721B0B1E012559FCFA69BBC8450BED7FB5AF45618B1504BAEC05FB202E635C8428751
                                          Function 013591D0 Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 56efd71718720c1d5379fcfde597087dbbe1de20c1e570a31a912c2ae9c22c76
                                          • Instruction ID: ca29216a384f5f76fd0f7fa736d67bec0ace6c990b26d801e1a6596eba648254
                                          • Opcode Fuzzy Hash: 56efd71718720c1d5379fcfde597087dbbe1de20c1e570a31a912c2ae9c22c76
                                          • Instruction Fuzzy Hash: 9721D075E00209DBDB49CFA8C454BDEB7B6AF89758F10861AEC16FB340EB709942CB40
                                          Function 01351838 Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6dfa3e077c7f656e8adfbc7e6f86cc9d2ac0258c6053c693877cd271cdd21d2e
                                          • Instruction ID: c3c11e75d8afb86c86be6c25e086142cb62d1d0f97c9b609acd9a0e15093ebdf
                                          • Opcode Fuzzy Hash: 6dfa3e077c7f656e8adfbc7e6f86cc9d2ac0258c6053c693877cd271cdd21d2e
                                          • Instruction Fuzzy Hash: 7E217C35B00205CFDBA5EBB8C514B9D77F6AF88748F104469D916EB7A4DB368D01CB90
                                          Function 01351340 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 034638db6616a5e2a5b7fc8836ffb9e0b7d4f2a3b829202fe3dc3d9c330d4f22
                                          • Instruction ID: e1b7a7e8d2104ca1324ecf19803af7abfce485971ac827e5df800e7957ee01c9
                                          • Opcode Fuzzy Hash: 034638db6616a5e2a5b7fc8836ffb9e0b7d4f2a3b829202fe3dc3d9c330d4f22
                                          • Instruction Fuzzy Hash: 6721E474A011008FEF77573CE4A8B2D3B64EF06759F50087AE906CB393DAA9C895CB42
                                          Function 00FFD01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4487714904.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_ffd000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3eba947a0c229a9dc09efe948a77c7b107009eee02ae061aca24df080ee39562
                                          • Instruction ID: caf02a0d0a98bab262dc617dbbb8a1c9596fcb3a381cfc3457d79b5f6866183e
                                          • Opcode Fuzzy Hash: 3eba947a0c229a9dc09efe948a77c7b107009eee02ae061aca24df080ee39562
                                          • Instruction Fuzzy Hash: 0021F571504208DFDB15DF24D5C4B26BF66FF84324F20C569DA0A4B36ACB3AD807EA62
                                          Function 01351780 Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 01160d52a11265e95ac07e10bb84cf9a207a6b84922acbe9cb2883a11e7e6db8
                                          • Instruction ID: 7b9eaea29a9e52054cd14dfed2a65c815f3eaa46ce94fad16b71e57c07c48685
                                          • Opcode Fuzzy Hash: 01160d52a11265e95ac07e10bb84cf9a207a6b84922acbe9cb2883a11e7e6db8
                                          • Instruction Fuzzy Hash: E811E236F002018BDB626B7CA804B6E7BA5EB49B64F104929DE4AD3341EA35C8528B81
                                          Function 01359AA8 Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d2210353c4c1987f6bc27b967ec5ec9b19dee0cbb82459266d810f7f901d4699
                                          • Instruction ID: a59aa508297a2c2a5d1dd303ba79e8e646f921ff684e302d6f38571fcb84f88f
                                          • Opcode Fuzzy Hash: d2210353c4c1987f6bc27b967ec5ec9b19dee0cbb82459266d810f7f901d4699
                                          • Instruction Fuzzy Hash: 4E219231B00105CFEB54DB69C958FAE7BFAAF88B18F144065E901EB3A5DA719D008B90
                                          Function 013591E0 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2f644ee05b57b66059cc61d8192ce190462a828a5512767913747ca3d1c2559c
                                          • Instruction ID: 399055b27fdeee0377ea37b21085eb3f48c9256b050f79836fa7f8796644188e
                                          • Opcode Fuzzy Hash: 2f644ee05b57b66059cc61d8192ce190462a828a5512767913747ca3d1c2559c
                                          • Instruction Fuzzy Hash: 4A21A130E00209DBDB59CFA9C444A9EF7B6BF89748F10862AEC15FB340DB71A946CB51
                                          Function 01351848 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8e20b10799ea5ed40eb7f35dc04712d669a68272f49e71b7f887c0fba8944d6b
                                          • Instruction ID: 7a05a58cf99b2167d0977cb436566adfc663e69067b5bd8ac437490f63a1a1bb
                                          • Opcode Fuzzy Hash: 8e20b10799ea5ed40eb7f35dc04712d669a68272f49e71b7f887c0fba8944d6b
                                          • Instruction Fuzzy Hash: 8A213031B00209CFDBA4EB78C514BAE77F5AF49748F100468D906EB364DB368D41CBA1
                                          Function 01351670 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7e1b0a74adc7ed65680097867908ecdef69d149d05f839e6166049b0f19bcd8b
                                          • Instruction ID: 54100e45fc054a8a2f64036e137c7b4c8c593e91406e9f83a6347c9d0b088b8e
                                          • Opcode Fuzzy Hash: 7e1b0a74adc7ed65680097867908ecdef69d149d05f839e6166049b0f19bcd8b
                                          • Instruction Fuzzy Hash: CC2190356011014FDF63EB2CF884F5A376AEB45758F104A71D40AC736ADB68EC55CBA2
                                          Function 01354F48 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 847a99f0b43072b4f15110cc5addfc668e4f01883c72fbbaac1374e4a2ba9fc9
                                          • Instruction ID: 22b677d26bce60d596c1c9f9e4e719f549d28486106fa96953ccff74d47147c8
                                          • Opcode Fuzzy Hash: 847a99f0b43072b4f15110cc5addfc668e4f01883c72fbbaac1374e4a2ba9fc9
                                          • Instruction Fuzzy Hash: 06212730B00205CFDBA5EB78C558AAD77F1AF88748F104468E906EB7A5EB769D05CB90
                                          Function 01354F58 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ab8db656a0aa3f5deb8009e8ac2414b0895f40be789f60d4adccf422a9137229
                                          • Instruction ID: 48e96b683394623ddac11fd76d21276ad1decf750f7920ce48956302091b8da9
                                          • Opcode Fuzzy Hash: ab8db656a0aa3f5deb8009e8ac2414b0895f40be789f60d4adccf422a9137229
                                          • Instruction Fuzzy Hash: CD212831B00205CFDB94EB78C558BAD77F1AF88748F104468E806EB368EB369D05CBA0
                                          Function 01350838 Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2a29acda13df358b22ae5c5b06408cb4546a87e21282c383dc80429ba23f8752
                                          • Instruction ID: a443de8e1c37cda46386c7568a9e4e6f3c4f4a39376710ff2242e66a79ac22e0
                                          • Opcode Fuzzy Hash: 2a29acda13df358b22ae5c5b06408cb4546a87e21282c383dc80429ba23f8752
                                          • Instruction Fuzzy Hash: 40112730A053049FDF9A5A79D814F397F69EF42B1CF10487AF816CF292DA26C8448BD2
                                          Function 00FFD005 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4487714904.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_ffd000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 309aed52bdc5cb6744667016acf929d77c38b6bba50bdd0e9acf692815b1bdc1
                                          • Instruction ID: 612d80951b625e2945377a2b01322d02781a3d8731977f8b0fa32dc33b0e83a9
                                          • Opcode Fuzzy Hash: 309aed52bdc5cb6744667016acf929d77c38b6bba50bdd0e9acf692815b1bdc1
                                          • Instruction Fuzzy Hash: F62180755093848FCB03CF24D994715BF72EF46314F28C5EAD9498B2A7C33A980ADB62
                                          Function 01350848 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f295be8ddaa5f707f938929e2f7bd0c22167487834aa360274f65abd045f7571
                                          • Instruction ID: 39ea103b1f178d72e913ceeda3c91c27f2d8d3097dd81fca62a7fd8684379d28
                                          • Opcode Fuzzy Hash: f295be8ddaa5f707f938929e2f7bd0c22167487834aa360274f65abd045f7571
                                          • Instruction Fuzzy Hash: 4D11C430B002048FDF99AA7DD504F2D3AA9EF41B18F104939F816CF356DA26CC458BD1
                                          Function 01351458 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b43e6eeb98c6e3b16b81bcf889d651f89bd90b9b0d3924f42f7685ac24f66853
                                          • Instruction ID: 0dd5767ece078e0f6946e785dbdae22d5b8c1cc56f66c40d4c3905aedd647747
                                          • Opcode Fuzzy Hash: b43e6eeb98c6e3b16b81bcf889d651f89bd90b9b0d3924f42f7685ac24f66853
                                          • Instruction Fuzzy Hash: 85018071A012158FCF65EFBD8450AAE7BF5EF48618B151479EC05F7201E736E842CBA1
                                          Function 01359910 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fdbcee1dc7848bb97af6c4237afc8336fe697a8d5b0b0101a9f278dc54022f82
                                          • Instruction ID: 0d0d86da459792d5aee78c71a395e82c70960fedd99633fb34b2107bf9f1e40d
                                          • Opcode Fuzzy Hash: fdbcee1dc7848bb97af6c4237afc8336fe697a8d5b0b0101a9f278dc54022f82
                                          • Instruction Fuzzy Hash: D501B931A00204CFDB14DF59D984B8ABBBAEF80714F54C574DC085F25AD774E906CBA1
                                          Function 013514E4 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b3bfa0d16cea3921b3b835b6f95b60cde9ab51a5797f160406e813a0b43618e8
                                          • Instruction ID: b00e75d16127653b9ff59f87dfd2a3eae54e971c2c38210d043fb50d403c1b54
                                          • Opcode Fuzzy Hash: b3bfa0d16cea3921b3b835b6f95b60cde9ab51a5797f160406e813a0b43618e8
                                          • Instruction Fuzzy Hash: 91F02B73A04110CFDB62CBAD8490AAC7FB5EE64A29B1A00D7DC45EB251D639D542C751
                                          Function 01358170 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 14b9729cebe626bd70848ffb2095dd03c8f3e2ecebfe17308573bc7526c6617b
                                          • Instruction ID: e9c60659ff8dec435f712308006791cab0dd6cc05bed6f7fc76000a12c7b3d15
                                          • Opcode Fuzzy Hash: 14b9729cebe626bd70848ffb2095dd03c8f3e2ecebfe17308573bc7526c6617b
                                          • Instruction Fuzzy Hash: 98012C31A011899FCB06FBB4F99899C7B75EF41304B5045B9C405DB265DB346E1A8B52
                                          Function 01358180 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.4489486482.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1350000_LisectAVT_2403002A_134.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c7892a152d69abdbb9624afae4bb160a89eecf11b737924bbe3cff3e88f6280
                                          • Instruction ID: ee62c184be2b02b418909a7435f2fc1792a2684724ac9320637b67125f922034
                                          • Opcode Fuzzy Hash: 3c7892a152d69abdbb9624afae4bb160a89eecf11b737924bbe3cff3e88f6280
                                          • Instruction Fuzzy Hash: C9F01935A011499FCB05FFB8F98499DBBB9EF40304F504678C509DB268EF306E198B92