Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002A_133.exe

Overview

General Information

Sample name:LisectAVT_2403002A_133.exe
Analysis ID:1482509
MD5:56808e1595200230cae4ae17b5dbb869
SHA1:ce0935fefed25268069331ba6277b4d14c385e28
SHA256:1a38e29dff73f042b8abb0ed1398a37eefa8fe3f6030e27a9a22b8964263b146
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002A_133.exe (PID: 1088 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe" MD5: 56808E1595200230CAE4AE17B5DBB869)
    • powershell.exe (PID: 1424 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7544 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 1792 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 3868 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • LisectAVT_2403002A_133.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe" MD5: 56808E1595200230CAE4AE17B5DBB869)
  • GlIToApjgGEL.exe (PID: 7472 cmdline: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe MD5: 56808E1595200230CAE4AE17B5DBB869)
    • schtasks.exe (PID: 7676 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpE6EF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • GlIToApjgGEL.exe (PID: 7728 cmdline: "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe" MD5: 56808E1595200230CAE4AE17B5DBB869)
    • GlIToApjgGEL.exe (PID: 7736 cmdline: "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe" MD5: 56808E1595200230CAE4AE17B5DBB869)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.kabeercommodities.com", "Username": "export@kabeercommodities.com", "Password": "w{A6H.o&sz%g"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.2528847260.000000000307C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000012.00000002.2527987214.00000000031AC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000012.00000002.2527987214.0000000003181000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000012.00000002.2527987214.0000000003181000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000018.00000002.2528847260.0000000003051000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            19.2.GlIToApjgGEL.exe.3ae17c0.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              19.2.GlIToApjgGEL.exe.3ae17c0.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                19.2.GlIToApjgGEL.exe.3ae17c0.4.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3174f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x317c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3184b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x318dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x31947:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x319b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x31a4f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31adf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                4.2.LisectAVT_2403002A_133.exe.403afe8.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  4.2.LisectAVT_2403002A_133.exe.403afe8.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 21 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe, ParentProcessId: 1088, ParentProcessName: LisectAVT_2403002A_133.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe", ProcessId: 1424, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe, ParentProcessId: 1088, ParentProcessName: LisectAVT_2403002A_133.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe", ProcessId: 1424, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpE6EF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpE6EF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe, ParentImage: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe, ParentProcessId: 7472, ParentProcessName: GlIToApjgGEL.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpE6EF.tmp", ProcessId: 7676, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 45.91.139.1, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe, Initiated: true, ProcessId: 7320, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49706
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe, ParentProcessId: 1088, ParentProcessName: LisectAVT_2403002A_133.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp", ProcessId: 3868, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe, ParentProcessId: 1088, ParentProcessName: LisectAVT_2403002A_133.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe", ProcessId: 1424, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe, ParentProcessId: 1088, ParentProcessName: LisectAVT_2403002A_133.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp", ProcessId: 3868, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Suricata Signatures

                    Timestamp:2024-07-25T23:58:21.889521+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49709
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-25T23:59:00.566677+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49714
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: LisectAVT_2403002A_133.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeAvira: detection malicious, Label: HEUR/AGEN.1323752
                    Found malware configuration
                    Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.kabeercommodities.com", "Username": "export@kabeercommodities.com", "Password": "w{A6H.o&sz%g"}
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: LisectAVT_2403002A_133.exeJoe Sandbox ML: detected
                    Source: LisectAVT_2403002A_133.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49707 version: TLS 1.2
                    Source: LisectAVT_2403002A_133.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4x nop then jmp 02A572EFh4_2_02A5696C
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 4x nop then jmp 02716507h19_2_02715B84

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.7:49706 -> 45.91.139.1:587
                    Source: Joe Sandbox ViewIP Address: 45.91.139.1 45.91.139.1
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewASN Name: MEER-ASmeerfarbigGmbHCoKGDE MEER-ASmeerfarbigGmbHCoKGDE
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.7:49706 -> 45.91.139.1:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.kabeercommodities.com
                    Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2539654353.0000000006927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros;
                    Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.000000000307C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kabeercommodities.com
                    Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.000000000307C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.kabeercommodities.com
                    Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2526645083.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2526645083.0000000001676000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2526896258.0000000001249000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003084000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r10.i.lencr.org/09
                    Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2526645083.0000000001676000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2526896258.0000000001249000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003084000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r10.o.lencr.org0#
                    Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1343518581.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.0000000003131000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000013.00000002.1402251524.0000000002810000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2526645083.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2526896258.0000000001214000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003084000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2526645083.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2526896258.0000000001214000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2539536816.00000000063CB000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003084000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000004.00000002.1344574120.0000000004921000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000013.00000002.1403560028.0000000003AE1000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2522255682.0000000000415000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000004.00000002.1344574120.0000000004921000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.0000000003131000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000013.00000002.1403560028.0000000003AE1000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003001000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2522255682.0000000000415000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.0000000003131000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.0000000003131000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49707 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, NDL2m67zO.cs.Net Code: recg
                    Source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.raw.unpack, NDL2m67zO.cs.Net Code: recg

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_00F289404_2_00F28940
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_00F28C524_2_00F28C52
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_00F274C34_2_00F274C3
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_00F289E14_2_00F289E1
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_00F271A04_2_00F271A0
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_00F2750A4_2_00F2750A
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_00F279894_2_00F27989
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_02A528A74_2_02A528A7
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_02A528B84_2_02A528B8
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_02A508304_2_02A50830
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_02A51EF74_2_02A51EF7
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_02A51F084_2_02A51F08
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_02A52CE14_2_02A52CE1
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_02A52CF04_2_02A52CF0
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_02A58C184_2_02A58C18
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_02A50C684_2_02A50C68
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_085AB6684_2_085AB668
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_085AB6584_2_085AB658
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_0159E6A918_2_0159E6A9
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_0159D9C018_2_0159D9C0
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_01594A9818_2_01594A98
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_01593E8018_2_01593E80
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_015941C818_2_015941C8
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_06E465E018_2_06E465E0
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_06E4558018_2_06E45580
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_06E47D7818_2_06E47D78
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_06E4B21F18_2_06E4B21F
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_06E4303818_2_06E43038
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_06E4C17818_2_06E4C178
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_06E4769818_2_06E47698
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_06E45CCF18_2_06E45CCF
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_06E4059B18_2_06E4059B
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_06E4E3A018_2_06E4E3A0
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_06E4234018_2_06E42340
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_06E4001F18_2_06E4001F
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_0256894019_2_02568940
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_02568C5219_2_02568C52
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_025671A019_2_025671A0
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_0256740B19_2_0256740B
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_025689E119_2_025689E1
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_025674C319_2_025674C3
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_0256750A19_2_0256750A
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_0256798919_2_02567989
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_0271083019_2_02710830
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_027128B819_2_027128B8
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_027128A719_2_027128A7
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_02711EF719_2_02711EF7
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_02717F2019_2_02717F20
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_02711F0819_2_02711F08
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_02710C6819_2_02710C68
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_02712CF019_2_02712CF0
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_02712CE119_2_02712CE1
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_013EA19024_2_013EA190
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_013EE6B824_2_013EE6B8
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_013EA95824_2_013EA958
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_013E4A9824_2_013E4A98
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_013E3E8024_2_013E3E80
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_013E41C824_2_013E41C8
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_06B2558024_2_06B25580
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_06B265E024_2_06B265E0
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_06B27D7824_2_06B27D78
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_06B2B23024_2_06B2B230
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_06B2235024_2_06B22350
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_06B2C17824_2_06B2C178
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_06B2769824_2_06B27698
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_06B25CE024_2_06B25CE0
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_06B2E3A024_2_06B2E3A0
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_06B2000624_2_06B20006
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_06B2004024_2_06B20040
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_06B2032424_2_06B20324
                    Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1339585942.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002A_133.exe
                    Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1347383930.0000000008503000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs LisectAVT_2403002A_133.exe
                    Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1347383930.0000000008503000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename#f vs LisectAVT_2403002A_133.exe
                    Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1347383930.0000000008503000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerTnN.exe4 vs LisectAVT_2403002A_133.exe
                    Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1347383930.00000000084A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameschtasks.exej% vs LisectAVT_2403002A_133.exe
                    Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed820472a-a748-4fee-95a9-5eaffb307398.exe4 vs LisectAVT_2403002A_133.exe
                    Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_133.exe
                    Source: LisectAVT_2403002A_133.exe, 00000004.00000000.1270481428.00000000008C8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamerTnN.exe4 vs LisectAVT_2403002A_133.exe
                    Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1343518581.0000000002DCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed820472a-a748-4fee-95a9-5eaffb307398.exe4 vs LisectAVT_2403002A_133.exe
                    Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1347867209.0000000008740000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_133.exe
                    Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2523232143.00000000012F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs LisectAVT_2403002A_133.exe
                    Source: LisectAVT_2403002A_133.exeBinary or memory string: OriginalFilenamerTnN.exe4 vs LisectAVT_2403002A_133.exe
                    Source: LisectAVT_2403002A_133.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: LisectAVT_2403002A_133.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: GlIToApjgGEL.exe.4.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, OTWUo99bfyR.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, OTWUo99bfyR.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, Ui9qhZiA7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, Ui9qhZiA7.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, oaIYYEGbjWh1PKKUmq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, XSiZdC5Wk4sX5ZXI0h.csSecurity API names: _0020.SetAccessControl
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, XSiZdC5Wk4sX5ZXI0h.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, XSiZdC5Wk4sX5ZXI0h.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/15@2/2
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeFile created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeMutant created: NULL
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeMutant created: \Sessions\1\BaseNamedObjects\eQQweYsDUhlpl
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2172:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_03
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCD6C.tmpJump to behavior
                    Source: LisectAVT_2403002A_133.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: LisectAVT_2403002A_133.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeFile read: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe"
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpE6EF.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpE6EF.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: LisectAVT_2403002A_133.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: LisectAVT_2403002A_133.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 4.2.LisectAVT_2403002A_133.exe.2cf4a18.1.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
                    Source: 4.2.LisectAVT_2403002A_133.exe.6de0000.5.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, XSiZdC5Wk4sX5ZXI0h.cs.Net Code: QycL3A5n98 System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 4_2_00F2EA88 push eax; iretd 4_2_00F2EA89
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_0159A1DB pushfd ; retf 0565h18_2_0159A6B1
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_01590C45 push ebx; retf 18_2_01590C52
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeCode function: 18_2_01590C6D push edi; retf 18_2_01590C7A
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_0256EA88 push eax; iretd 19_2_0256EA89
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_025697B0 push 14027692h; iretd 19_2_0256987D
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 19_2_02714821 push esi; retf 19_2_02714822
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_013E0C6D push edi; retf 24_2_013E0C7A
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_013E0C53 push ebx; retf 24_2_013E0C52
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeCode function: 24_2_013E0C45 push ebx; retf 24_2_013E0C52
                    Source: LisectAVT_2403002A_133.exeStatic PE information: section name: .text entropy: 7.956613403047499
                    Source: GlIToApjgGEL.exe.4.drStatic PE information: section name: .text entropy: 7.956613403047499
                    Source: 4.2.LisectAVT_2403002A_133.exe.2cf4a18.1.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
                    Source: 4.2.LisectAVT_2403002A_133.exe.2cf4a18.1.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
                    Source: 4.2.LisectAVT_2403002A_133.exe.2cf4a18.1.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
                    Source: 4.2.LisectAVT_2403002A_133.exe.2cf4a18.1.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
                    Source: 4.2.LisectAVT_2403002A_133.exe.2cf4a18.1.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
                    Source: 4.2.LisectAVT_2403002A_133.exe.6de0000.5.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
                    Source: 4.2.LisectAVT_2403002A_133.exe.6de0000.5.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
                    Source: 4.2.LisectAVT_2403002A_133.exe.6de0000.5.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
                    Source: 4.2.LisectAVT_2403002A_133.exe.6de0000.5.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
                    Source: 4.2.LisectAVT_2403002A_133.exe.6de0000.5.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, Q0vpVvSH5GMpEnUVq3.csHigh entropy of concatenated method names: 'W8jKiuJ7LD', 'Fq2KybPnnI', 'yyZKprXC5j', 'J0eKYNvEee', 'dxlKcbcXSV', 'gUAKA5c97D', 'b91K5bQsn2', 'iHMKDgc52x', 'caDK0Eaq4t', 'XDTKkUKhZ3'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, d7eZWkjobMx1kktcNq.csHigh entropy of concatenated method names: 'twycWJ3oQk', 'AAJcyGu958', 'fG2cYeUEHI', 'wVkcAQBTiv', 'NLWc5NdjpT', 'gk5Ym4VkB6', 'RMTYeqbVsI', 'isPY4Ki7VD', 'dyXYShLbob', 'kZIYTYBwnp'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, l1ZjH3FqBk7m3jAhOp.csHigh entropy of concatenated method names: 'sN3trtrr6q', 'qIKtNenhld', 'rOptLebBA0', 'oZOtiLPsD9', 'SMxtysfFmr', 'S3StYPpOFk', 'qihtc96oQ8', 'zUHK4fuet9', 't7EKSHgFAd', 'LOQKTa5cGy'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, UABv9PrxcswaCKu77d9.csHigh entropy of concatenated method names: 'VCktZUcDgy', 'XxZtChhtHs', 'biEt3DpJul', 'koCtHwVaSl', 'AvdtEwZxfD', 'Ki8tvnmSis', 'o2AtbBSmtI', 'pDDtG4GKAK', 'n1atP5e10W', 'umutaqNo32'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, WLQyxlrNPWgvdrMdKHe.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yN9sR2g6ZQ', 'LrRsuXPuIy', 'QdusJJe3oI', 'fkCs9ETYNZ', 'hrmsmtANhw', 'fQKse3ySm2', 'hxos4XaZib'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, p681EQzv8P3Gf2coDi.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hUttwT2Wyj', 'AbBt8P46Xn', 'C6ut2rmo9I', 'zgWtOLaa1g', 'kDvtKBKvEh', 'qpSttVFynO', 'xDLtso2ADM'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, oaIYYEGbjWh1PKKUmq.csHigh entropy of concatenated method names: 'HBAyRmM8LY', 'wUVyuuSoPX', 'O3TyJ3i7nB', 'Lmny99S1yI', 'uyEymgt9Vu', 'QXKye9nSnc', 'nqUy4v21Bp', 'gufySu0yY8', 'y79yTxX1kh', 'UE3yFOwn82'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, VVbDJ6g1mjpxbiLeaT.csHigh entropy of concatenated method names: 'ysD3DTRk7', 'hUZHDB3PG', 'h9pvn1QkC', 'l45bclgr4', 'K3QPvLjJR', 'IPla6lFJh', 'zofZPBp8GNxAx3hw8P', 'i9d3Rvfc3tFMoGmyon', 'ugUKk43IB', 'avWsWpUdG'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, hF761QeXojqrtkst5L.csHigh entropy of concatenated method names: 'N4dOS7gQyy', 'affOFeHot3', 'BWiKxW4xB7', 'najKrpEQue', 'y2SOq1Uya7', 'r7lOBwNXlx', 'cxOOVemW8x', 'PAjORTSLBR', 'vdIOuYM5sy', 'rm0OJWpEYB'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, SEVygsUpenY03rhyRN.csHigh entropy of concatenated method names: 'SksAZILZBx', 'rbcAC5YIFx', 'omwA3s3EAh', 'TgPAHovWkW', 'AOBAEWIHkP', 'nGdAvHF9PJ', 'cTPAb8hcdd', 'WQRAGrdVIP', 'sBLAPn5vqv', 'QklAagQUFR'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, XSiZdC5Wk4sX5ZXI0h.csHigh entropy of concatenated method names: 'NLONWQeTVU', 'OhYNiXIEhM', 'VbSNy5nlVf', 'iGYNpmGC6P', 'h6bNYJldjS', 'N5nNcJyHYW', 'sWBNA0xPIX', 'DCkN5fPFVW', 'TdFNDUZZwB', 'PcaN0fGwux'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, ixE87fVco3u39tVeDd.csHigh entropy of concatenated method names: 'cTnwGk9lm5', 'mHnwP5T7f3', 'OwXwjkspvF', 'JJAwdQnbdS', 'A9RwhVN2f4', 'rm7woOa0HQ', 'jRMwfSYGaI', 'DvjwXuIUkR', 'WJhw1SmxoI', 'csNwqPbMeY'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, POksTqLv23gIDSTmtv.csHigh entropy of concatenated method names: 'JO8rAaIYYE', 'DjWr5h1PKK', 'oCQr04Qi43', 'YqNrkruhUm', 'LKWr8ncL7e', 'yWkr2obMx1', 'wvTnhcPZarpk054mmR', 'UMtRynZWACdxwUrZhC', 'T76rrqcjXX', 'PmqrNvnrcm'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, FFUGolJopXrievvJ4c.csHigh entropy of concatenated method names: 'ToString', 'iUW2qjhSAh', 'rd02dgurYc', 'chY2INAa3Z', 'PKl2hXQBeT', 'hgE2oM2jh3', 'gLl2M32bN8', 'Ets2ffjKh1', 'hSO2XfObqu', 'BTY2U9RZDE'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, YlGc4ZTI0YWd3fQsXx.csHigh entropy of concatenated method names: 'F0qKjGnNZn', 'kIvKds7BwO', 'eR4KINfIG1', 'OeUKhEqg0N', 'Du5KRh7P5p', 'AyXKo8IikI', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, YjEy6M9c2BTBmsjLfO.csHigh entropy of concatenated method names: 'E7yO0KkHnM', 'nN4Ok0rb2c', 'ToString', 'OTGOiqB70W', 'VFcOyeYglF', 'bwgOpHRFcL', 'sVbOYUZVpJ', 'lkTOcxvxW6', 'aRgOAbHdNb', 'SbqO5QFGTl'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, iBZpNwPCQ4Qi43TqNr.csHigh entropy of concatenated method names: 'x81pH1NjsS', 'qv6pvIt2pO', 'R4ppGmXiq9', 'rUepPVPj45', 'rR9p8wGSpd', 'xAwp2Fuitb', 'LfNpOUwoj6', 'iJnpKC94p9', 'u3bptiWJqZ', 'iDTps6LYTG'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, RhUmNua4HbfKXXKWnc.csHigh entropy of concatenated method names: 'S7GYENfHgW', 'QXOYbYkQV6', 'amIpIW9i1S', 'IUlphdWb6j', 'P6ApocAvIU', 'gnIpM8sVjj', 'aOVpfjotY4', 'ycOpXB6kmb', 'LNxpUCrROp', 'mIIp1R018y'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, AVK0tnygKddfqQqwFa.csHigh entropy of concatenated method names: 'Dispose', 'rodrTt8uiY', 'n59gdxJVSq', 'KXm77IHRwJ', 'iV0rFvpVvH', 'kGMrzpEnUV', 'ProcessDialogKey', 'O3FgxlGc4Z', 'H0YgrWd3fQ', 'sXxggD1ZjH'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, aBA5C2rg4OGBwlweuHD.csHigh entropy of concatenated method names: 'torsZh01GT', 'PX9sCfefiK', 'spus3OF7h8', 'dJcXFUuHbYVfWKL0Mv3', 'g7c2DQuTFTb0l3JF2TZ', 'K5vX88uL9xU5AAKHIna', 'UeMxN6uPTQmh0wkDl91'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, e1U0wlhLCh8W4Il2BO.csHigh entropy of concatenated method names: 'qAHclIXBfb', 'DtycZtL2ZP', 'q4wc3EYCm8', 'R3QcHHOxTn', 'PnfcvuZN4p', 'vVHcbK8kem', 'TkdcP9Dbkp', 'SAbcapIjue', 'ppXa5yAmQMviloOFm7r', 'WIi36EAJI6oFlSeU7I9'
                    Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, aGt5rhfGQ5TrNgoLpn.csHigh entropy of concatenated method names: 'BouAifZsaZ', 'AKLApVsjhc', 'UggAcG4BpF', 'WybcFqUq3A', 'M6Zcz1PGsD', 'rNcAxccuDL', 'aE8Arj7j0Z', 'rf0Ag2pDSp', 'lmZANvNws8', 'Bv6ALX9ASL'
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeFile created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: GlIToApjgGEL.exe PID: 7472, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeMemory allocated: F20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeMemory allocated: 2CC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeMemory allocated: 2A00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeMemory allocated: 87C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeMemory allocated: 97C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeMemory allocated: 9AB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeMemory allocated: AAB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeMemory allocated: 1590000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeMemory allocated: 3130000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeMemory allocated: 5130000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeMemory allocated: 2520000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeMemory allocated: 27A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeMemory allocated: 26C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeMemory allocated: 82E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeMemory allocated: 92E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeMemory allocated: 95D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeMemory allocated: A5D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeMemory allocated: 1150000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeMemory allocated: 3000000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeMemory allocated: 2E40000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6885Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6387Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeWindow / User API: threadDelayed 2420Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeWindow / User API: threadDelayed 7428Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeWindow / User API: threadDelayed 6833
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeWindow / User API: threadDelayed 3020
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 4532Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188Thread sleep count: 6885 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7388Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7364Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep count: 32 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7620Thread sleep count: 2420 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -99839s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -99732s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -99625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -99516s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7620Thread sleep count: 7428 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -99393s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -99266s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -99156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -99046s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -98938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -98813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -98703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -98594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -98469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -98359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -98250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -98141s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -98031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -97922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -97812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -97703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -97594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -97469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -97357s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -97250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -97141s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -97031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -96922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -96812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -96703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -96594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -96484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -96375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -96266s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -96141s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -96016s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -95906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -95797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -95688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -95563s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -95438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -95324s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -95219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -95094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -94984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -94875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -94766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -94656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -94547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596Thread sleep time: -94438s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7512Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep count: 35 > 30
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -32281802128991695s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7836Thread sleep count: 6833 > 30
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7836Thread sleep count: 3020 > 30
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -99890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -99781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -99659s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -99531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -99421s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -99312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -99203s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -99084s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -98847s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -98718s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -98608s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -98499s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -98390s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -98281s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -98171s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -98062s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -97952s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -97843s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -97733s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -97624s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -97515s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -97405s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -97296s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -97187s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -97075s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -96968s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -96858s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -96749s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -96640s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -96530s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -96421s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -96312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -96202s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -96093s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -95984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -95874s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -95765s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -95655s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -95546s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -95437s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -95328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -95218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -95109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -94999s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -94890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -94780s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -94671s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -94562s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832Thread sleep time: -94437s >= -30000s
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 99839Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 99732Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 99625Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 99516Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 99393Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 99266Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 99156Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 99046Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 98938Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 98813Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 98703Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 98594Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 98469Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 98359Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 98250Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 98141Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 98031Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 97922Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 97812Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 97703Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 97594Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 97469Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 97357Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 97250Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 97141Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 97031Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 96922Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 96812Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 96703Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 96594Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 96484Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 96375Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 96266Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 96141Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 96016Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 95906Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 95797Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 95688Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 95563Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 95438Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 95324Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 95219Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 95094Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 94984Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 94875Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 94766Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 94656Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 94547Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeThread delayed: delay time: 94438Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 99890
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 99781
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 99659
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 99531
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 99421
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 99312
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 99203
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 99084
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 98847
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 98718
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 98608
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 98499
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 98390
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 98281
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 98171
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 98062
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 97952
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 97843
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 97733
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 97624
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 97515
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 97405
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 97296
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 97187
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 97075
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 96968
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 96858
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 96749
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 96640
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 96530
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 96421
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 96312
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 96202
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 96093
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 95984
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 95874
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 95765
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 95655
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 95546
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 95437
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 95328
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 95218
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 95109
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 94999
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 94890
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 94780
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 94671
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 94562
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeThread delayed: delay time: 94437
                    Source: GlIToApjgGEL.exe, 00000013.00000002.1407798826.00000000080C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Dev
                    Source: GlIToApjgGEL.exe, 00000013.00000002.1407798826.0000000008126000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2527569170.0000000001711000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2539536816.00000000063CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe"
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeMemory written: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeMemory written: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpE6EF.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeProcess created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeQueries volume information: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeQueries volume information: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000018.00000002.2528847260.000000000307C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.2527987214.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.2527987214.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.2528847260.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1344574120.0000000004921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.2522255682.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.1403560028.0000000003AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_133.exe PID: 1088, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_133.exe PID: 7320, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GlIToApjgGEL.exe PID: 7472, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GlIToApjgGEL.exe PID: 7736, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000012.00000002.2527987214.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.2528847260.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1344574120.0000000004921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.2522255682.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.1403560028.0000000003AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_133.exe PID: 1088, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_133.exe PID: 7320, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GlIToApjgGEL.exe PID: 7472, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GlIToApjgGEL.exe PID: 7736, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000018.00000002.2528847260.000000000307C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.2527987214.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.2527987214.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.2528847260.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1344574120.0000000004921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.2522255682.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.1403560028.0000000003AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_133.exe PID: 1088, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_133.exe PID: 7320, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GlIToApjgGEL.exe PID: 7472, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GlIToApjgGEL.exe PID: 7736, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS111
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482509 Sample: LisectAVT_2403002A_133.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 48 mail.kabeercommodities.com 2->48 50 kabeercommodities.com 2->50 52 api.ipify.org 2->52 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 9 other signatures 2->64 8 LisectAVT_2403002A_133.exe 7 2->8         started        12 GlIToApjgGEL.exe 5 2->12         started        signatures3 process4 file5 40 C:\Users\user\AppData\...behaviorgraphlIToApjgGEL.exe, PE32 8->40 dropped 42 C:\Users\...behaviorgraphlIToApjgGEL.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmpCD6C.tmp, XML 8->44 dropped 46 C:\Users\...\LisectAVT_2403002A_133.exe.log, ASCII 8->46 dropped 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->66 68 Uses schtasks.exe or at.exe to add and modify task schedules 8->68 70 Adds a directory exclusion to Windows Defender 8->70 14 LisectAVT_2403002A_133.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        72 Antivirus detection for dropped file 12->72 74 Machine Learning detection for dropped file 12->74 76 Injects a PE file into a foreign processes 12->76 24 GlIToApjgGEL.exe 12->24         started        26 schtasks.exe 12->26         started        28 GlIToApjgGEL.exe 12->28         started        signatures6 process7 dnsIp8 54 kabeercommodities.com 45.91.139.1, 49706, 49708, 587 MEER-ASmeerfarbigGmbHCoKGDE Lithuania 14->54 56 api.ipify.org 172.67.74.152, 443, 49704, 49707 CLOUDFLARENETUS United States 14->56 78 Loading BitLocker PowerShell Module 18->78 30 conhost.exe 18->30         started        32 WmiPrvSE.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->80 82 Tries to steal Mail credentials (via file / registry access) 24->82 84 Tries to harvest and steal ftp login credentials 24->84 86 Tries to harvest and steal browser information (history, passwords, etc) 24->86 38 conhost.exe 26->38         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    LisectAVT_2403002A_133.exe100%AviraHEUR/AGEN.1323752
                    LisectAVT_2403002A_133.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe100%AviraHEUR/AGEN.1323752
                    C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe100%Joe Sandbox ML

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://kabeercommodities.com0%Avira URL Cloudsafe
                    http://r10.i.lencr.org/090%Avira URL Cloudsafe
                    http://mail.kabeercommodities.com0%Avira URL Cloudsafe
                    http://r10.o.lencr.org0#0%Avira URL Cloudsafe
                    http://crl.micros;0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    kabeercommodities.com
                    		45.91.139.1
                    		truetrue
                      		unknown
                      api.ipify.org
                      		172.67.74.152
                      		truefalse
                        		unknown
                        mail.kabeercommodities.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                          • URL Reputation: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.orgLisectAVT_2403002A_133.exe, 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000004.00000002.1344574120.0000000004921000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.0000000003131000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000013.00000002.1403560028.0000000003AE1000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003001000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2522255682.0000000000415000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://r10.o.lencr.org0#LisectAVT_2403002A_133.exe, 00000012.00000002.2526645083.0000000001676000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2526896258.0000000001249000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003084000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://account.dyn.com/LisectAVT_2403002A_133.exe, 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000004.00000002.1344574120.0000000004921000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000013.00000002.1403560028.0000000003AE1000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2522255682.0000000000415000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.ipify.org/tLisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.0000000003131000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://kabeercommodities.comLisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.000000000307C000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://mail.kabeercommodities.comLisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.000000000307C000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameLisectAVT_2403002A_133.exe, 00000004.00000002.1343518581.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.0000000003131000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000013.00000002.1402251524.0000000002810000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://x1.c.lencr.org/0LisectAVT_2403002A_133.exe, 00000012.00000002.2526645083.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2526896258.0000000001214000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003084000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://x1.i.lencr.org/0LisectAVT_2403002A_133.exe, 00000012.00000002.2526645083.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2526896258.0000000001214000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2539536816.00000000063CB000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003084000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.micros;LisectAVT_2403002A_133.exe, 00000012.00000002.2539654353.0000000006927000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://r10.i.lencr.org/09LisectAVT_2403002A_133.exe, 00000012.00000002.2526645083.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2526645083.0000000001676000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2526896258.0000000001249000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003084000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          45.91.139.1
                          		kabeercommodities.comLithuania
                          		34549MEER-ASmeerfarbigGmbHCoKGDEtrue
                          172.67.74.152
                          		api.ipify.orgUnited States
                          		13335CLOUDFLARENETUSfalse

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1482509
                          Start date and time:2024-07-25 23:57:05 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 2s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:30
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:LisectAVT_2403002A_133.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@21/15@2/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 170
                          • Number of non-executed functions: 22
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: LisectAVT_2403002A_133.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          17:58:02API Interceptor107x Sleep call for process: LisectAVT_2403002A_133.exe modified
                          17:58:06API Interceptor36x Sleep call for process: powershell.exe modified
                          17:58:09API Interceptor88x Sleep call for process: GlIToApjgGEL.exe modified
                          23:58:06Task SchedulerRun new task: GlIToApjgGEL path: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          45.91.139.1P3DuNLpu72.exeGet hashmaliciousAgentTeslaBrowse
                            PO#241001759.exeGet hashmaliciousAgentTeslaBrowse
                              SecuriteInfo.com.Win32.PWSX-gen.29051.4919.exeGet hashmaliciousAgentTeslaBrowse
                                6WMFyWEJ9J.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  gKqp0d6IXP.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    qxwhJXhPtC.exeGet hashmaliciousAgentTeslaBrowse
                                      conhost.exeGet hashmaliciousAgentTeslaBrowse
                                        PO#_231001759.exeGet hashmaliciousAgentTeslaBrowse
                                          172.67.74.152golang-modules.exeGet hashmaliciousUnknownBrowse
                                          • api.ipify.org/
                                          SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exeGet hashmaliciousUnknownBrowse
                                          • api.ipify.org/
                                          242764.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                          • api.ipify.org/?format=wef
                                          K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                                          • api.ipify.org/
                                          stub.exeGet hashmaliciousUnknownBrowse
                                          • api.ipify.org/
                                          stub.exeGet hashmaliciousUnknownBrowse
                                          • api.ipify.org/
                                          Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                                          • api.ipify.org/?format=json
                                          Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                          • api.ipify.org/?format=json
                                          Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                          • api.ipify.org/?format=json
                                          Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                          • api.ipify.org/?format=json

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          api.ipify.orgLisectAVT_2403002A_2.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          LisectAVT_2403002A_460.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.13.205
                                          LisectAVT_2403002A_481.exeGet hashmaliciousLuna Grabber, Luna LoggerBrowse
                                          • 104.26.12.205
                                          LisectAVT_2403002A_63.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          LisectAVT_2403002A_59.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.13.205
                                          LisectAVT_2403002A_74.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.13.205
                                          SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          Re_ Q22689 - 07.24.2024_Conduit Construction Network Ltd_Today.emlGet hashmaliciousUnknownBrowse
                                          • 172.67.74.152
                                          LisectAVT_2403002B_385.exeGet hashmaliciousAgentTesla, BdaejecBrowse
                                          • 104.26.12.205
                                          LisectAVT_2403002B_390.exeGet hashmaliciousAgentTesla, BdaejecBrowse
                                          • 104.26.13.205

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          MEER-ASmeerfarbigGmbHCoKGDELisectAVT_2403002A_165.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 45.155.250.89
                                          LisectAVT_2403002A_168.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 45.155.250.89
                                          LisectAVT_2403002A_164.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 45.155.250.89
                                          LisectAVT_2403002A_165.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 45.155.250.89
                                          LisectAVT_2403002A_168.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 45.155.250.89
                                          LisectAVT_2403002A_171.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 45.155.250.89
                                          LisectAVT_2403002A_184.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 45.155.250.89
                                          LisectAVT_2403002A_189.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 45.155.250.89
                                          LisectAVT_2403002A_221.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 45.155.250.89
                                          LisectAVT_2403002A_221.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 45.155.250.89
                                          CLOUDFLARENETUSLisectAVT_2403002A_147.exeGet hashmaliciousBlank GrabberBrowse
                                          • 162.159.138.232
                                          LisectAVT_2403002A_155.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.202.72
                                          LisectAVT_2403002A_161.exeGet hashmaliciousLuna Grabber, Luna LoggerBrowse
                                          • 162.159.133.233
                                          LisectAVT_2403002A_162.exeGet hashmaliciousUnknownBrowse
                                          • 104.21.85.44
                                          https://aecoa.racipens.su/ievqefkwtdjogsyjfdbfnprzYkzLoDtSZBZFTQIDNBMGDEMRMWVOLGXOOCCPHOBAHWORBTIQHFOUAGEIrstXEZnKMUIf12KAT7V5Wwx35Get hashmaliciousUnknownBrowse
                                          • 172.67.170.95
                                          LisectAVT_2403002A_2.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          https://taf7.rphortan.com/xV5YqZuT/#Xjeffrey.laws@99restaurants.comGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                          • 104.17.25.14
                                          LisectAVT_2403002A_210.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                          • 104.16.123.96
                                          Jeffrey.laws Replay VM (01m27sec).docxGet hashmaliciousHTMLPhisherBrowse
                                          • 172.64.151.101
                                          LisectAVT_2403002A_220.exeGet hashmaliciousUnknownBrowse
                                          • 104.21.6.108

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          3b5074b1b5d032e5620f69f9f700ff0eLisectAVT_2403002A_14.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.74.152
                                          LisectAVT_2403002A_14.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.74.152
                                          LisectAVT_2403002A_155.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.74.152
                                          LisectAVT_2403002A_162.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.74.152
                                          LisectAVT_2403002A_2.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          LisectAVT_2403002A_220.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.74.152
                                          LisectAVT_2403002A_308.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.74.152
                                          LisectAVT_2403002A_308.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.74.152
                                          LisectAVT_2403002A_333.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.74.152
                                          LisectAVT_2403002A_333.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.74.152

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GlIToApjgGEL.exe.log

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1415
                                          Entropy (8bit):5.352427679901606
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
                                          MD5:3978978DE913FD1C068312697D6E5917
                                          SHA1:1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
                                          SHA-256:33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
                                          SHA-512:78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_133.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\LisectAVT_2403002A_133.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1415
                                          Entropy (8bit):5.352427679901606
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
                                          MD5:3978978DE913FD1C068312697D6E5917
                                          SHA1:1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
                                          SHA-256:33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
                                          SHA-512:78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
                                          Malicious:true
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2232
                                          Entropy (8bit):5.379540626579189
                                          Encrypted:false
                                          SSDEEP:48:BWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:BLHxvIIwLgZ2KRHWLOug8s
                                          MD5:3604448ACFFDEA4C8F0E1157944DF8AA
                                          SHA1:25B24FBF7F874AF9F77EDC1002698A1823563C96
                                          SHA-256:03D975643485A13BCA08BB7801689F354193782332E13C1D3D157782C4A90829
                                          SHA-512:B4F4024BA4D71451E9CA4150A4E8D9347E276E8FA7C7D6DEC6E6D5BA6EA9E8A69F735A9021DFFF911C82B74D238EE6EB3E1F17A57F976207EF9B476D0BEB2C50
                                          Malicious:false
                                          Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bolbem2p.ywk.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edkdearx.j4a.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gzobwmys.b1z.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5qnhrc5.din.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_keacwpii.npm.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mfvtdh0q.nwy.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sou4er2x.uuf.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwftd0m5.fpn.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\LisectAVT_2403002A_133.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1606
                                          Entropy (8bit):5.12492380587016
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtdcxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTdcv
                                          MD5:BAD85834F5E70184B4C17B9B17B360A3
                                          SHA1:380B80F2F5860BD154BEFB2E4351172013F22AF4
                                          SHA-256:3AC8CFB8C4C6A9D6BF525C31AA323FCB1CC182002AB0B271BB251CFA9431FB20
                                          SHA-512:F4A161169DA61FD1C05F16AF5B52725478E1171C1A771729025DE39FD6D47E53C37E51CB780F51FBFA3584F0B020FEEF17D3C5E916C1E38E98C253D101145162
                                          Malicious:true
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                          C:\Users\user\AppData\Local\Temp\tmpE6EF.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1606
                                          Entropy (8bit):5.12492380587016
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtdcxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTdcv
                                          MD5:BAD85834F5E70184B4C17B9B17B360A3
                                          SHA1:380B80F2F5860BD154BEFB2E4351172013F22AF4
                                          SHA-256:3AC8CFB8C4C6A9D6BF525C31AA323FCB1CC182002AB0B271BB251CFA9431FB20
                                          SHA-512:F4A161169DA61FD1C05F16AF5B52725478E1171C1A771729025DE39FD6D47E53C37E51CB780F51FBFA3584F0B020FEEF17D3C5E916C1E38E98C253D101145162
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                          C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\LisectAVT_2403002A_133.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):747018
                                          Entropy (8bit):7.9512885595946825
                                          Encrypted:false
                                          SSDEEP:12288:INeOQx3TdpCmdIdL2/2gHecoI/v0b24w135wltCE5UrMkpOTOudkdRsoBiQ:kixjdpfId65Jn/r4m5wfCMop6OeoR/EQ
                                          MD5:56808E1595200230CAE4AE17B5DBB869
                                          SHA1:CE0935FEFED25268069331BA6277B4D14C385E28
                                          SHA-256:1A38E29DFF73F042B8ABB0ED1398A37EEFA8FE3F6030E27A9A22B8964263B146
                                          SHA-512:28D5F6D36E206004A8A60F7BB66AEAE9F1965C548DA0BABEBDAE9AAB6098794985AE5E55C483CF0C99EF33396CB6ABD3E2B2CF07D4F6734ECF9E6A5861503F98
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nW.f.................B...".......a... ........@.. ....................................@.................................da..W.................................................................................... ............... ..H............text....A... ...B.................. ..`.rsrc............ ...D..............@..@.reloc...............d..............@..B.................a......H.......$*..@7......*......`w..........................................z.(......}.....(....o....}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....oC...:q....(....+..(........}.........(......*................n..}.....{....,..{....o@...*..{....*.s..

                                          C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\LisectAVT_2403002A_133.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.9512885595946825
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:LisectAVT_2403002A_133.exe
                                          File size:747'018 bytes
                                          MD5:56808e1595200230cae4ae17b5dbb869
                                          SHA1:ce0935fefed25268069331ba6277b4d14c385e28
                                          SHA256:1a38e29dff73f042b8abb0ed1398a37eefa8fe3f6030e27a9a22b8964263b146
                                          SHA512:28d5f6d36e206004a8a60f7bb66aeae9f1965c548da0babebdae9aab6098794985ae5e55c483cf0c99ef33396cb6abd3e2b2cf07d4f6734ecf9e6a5861503f98
                                          SSDEEP:12288:INeOQx3TdpCmdIdL2/2gHecoI/v0b24w135wltCE5UrMkpOTOudkdRsoBiQ:kixjdpfId65Jn/r4m5wfCMop6OeoR/EQ
                                          TLSH:5DF401D6A1B71853EBDB45F042A3398E1775A22C31AAC6890F603DC875D2FC5FD8C686
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nW.f.................B...".......a... ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:4d0e3168cec67117

                                          Static PE Info

                                          General

                                          Entrypoint:0x4b61be
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x6603576E [Tue Mar 26 23:17:02 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb61640x57.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x1fe0.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xb41c40xb42007cdca010b865bbbe689afc4bcc51977bFalse0.9443420367800138data7.956613403047499IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xb80000x1fe00x2000e042f5b29124f5c6b66cdfbc34f77106False0.899658203125data7.56122725112233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xba0000xc0x2000fd341ed5982e299679a6a6e8e4b0dcdFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xb80e80x1c2ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9579983365677849
                                          RT_GROUP_ICON0xb9d180x14data1.05
                                          RT_VERSION0xb9d2c0x2b4data0.4754335260115607

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                          2024-07-25T23:58:21.889521+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970913.85.23.86192.168.2.7
                                          2024-07-25T23:59:00.566677+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971413.85.23.86192.168.2.7

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 25, 2024 23:58:07.521459103 CEST49704443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:07.521495104 CEST44349704172.67.74.152192.168.2.7
                                          Jul 25, 2024 23:58:07.521636009 CEST49704443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:07.529664993 CEST49704443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:07.529678106 CEST44349704172.67.74.152192.168.2.7
                                          Jul 25, 2024 23:58:08.040087938 CEST44349704172.67.74.152192.168.2.7
                                          Jul 25, 2024 23:58:08.040215015 CEST49704443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:08.044384003 CEST49704443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:08.044390917 CEST44349704172.67.74.152192.168.2.7
                                          Jul 25, 2024 23:58:08.044764996 CEST44349704172.67.74.152192.168.2.7
                                          Jul 25, 2024 23:58:08.086911917 CEST49704443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:08.223231077 CEST49704443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:08.264503002 CEST44349704172.67.74.152192.168.2.7
                                          Jul 25, 2024 23:58:08.342072010 CEST44349704172.67.74.152192.168.2.7
                                          Jul 25, 2024 23:58:08.342150927 CEST44349704172.67.74.152192.168.2.7
                                          Jul 25, 2024 23:58:08.342422962 CEST49704443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:08.348218918 CEST49704443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:09.738147974 CEST49706587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:09.743474960 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:09.743541002 CEST49706587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:10.618215084 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:10.618669033 CEST49706587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:10.623533010 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:11.628674030 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:11.628850937 CEST49706587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:11.633852005 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:12.013339043 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:12.013751984 CEST49706587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:12.018596888 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:12.354206085 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:12.354302883 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:12.354310989 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:12.354355097 CEST49706587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:12.486927032 CEST49706587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:12.688620090 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:13.023251057 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:13.026391983 CEST49706587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:13.033154964 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:13.307681084 CEST49707443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:13.307723045 CEST44349707172.67.74.152192.168.2.7
                                          Jul 25, 2024 23:58:13.307842016 CEST49707443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:13.310898066 CEST49707443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:13.310911894 CEST44349707172.67.74.152192.168.2.7
                                          Jul 25, 2024 23:58:13.422207117 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:13.444046974 CEST49706587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:13.449642897 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:13.780288935 CEST44349707172.67.74.152192.168.2.7
                                          Jul 25, 2024 23:58:13.780359030 CEST49707443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:13.782784939 CEST49707443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:13.782799006 CEST44349707172.67.74.152192.168.2.7
                                          Jul 25, 2024 23:58:13.783036947 CEST44349707172.67.74.152192.168.2.7
                                          Jul 25, 2024 23:58:13.836894989 CEST49707443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:13.866127968 CEST49707443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:13.912493944 CEST44349707172.67.74.152192.168.2.7
                                          Jul 25, 2024 23:58:13.971733093 CEST44349707172.67.74.152192.168.2.7
                                          Jul 25, 2024 23:58:13.971898079 CEST44349707172.67.74.152192.168.2.7
                                          Jul 25, 2024 23:58:13.971950054 CEST49707443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:13.974822044 CEST49707443192.168.2.7172.67.74.152
                                          Jul 25, 2024 23:58:14.517879963 CEST49708587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:14.522838116 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:14.523555994 CEST49708587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:15.400527000 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:15.400880098 CEST49708587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:15.406362057 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:15.793982983 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:15.794353962 CEST49708587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:15.799369097 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:16.360730886 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:16.361253023 CEST49708587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:16.366089106 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:16.704211950 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:16.704314947 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:16.704324961 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:16.704631090 CEST49708587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:16.704679966 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:16.704852104 CEST49708587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:16.705821037 CEST49708587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:16.710949898 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:17.036034107 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:17.039397955 CEST49708587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:17.044378996 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:17.421159983 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:17.421575069 CEST49708587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:17.426594019 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:17.818284035 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:17.844285011 CEST49706587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:17.849086046 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:20.230443001 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:20.230869055 CEST49706587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:20.235727072 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:20.664413929 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:20.664669991 CEST49706587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:20.669589996 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:21.076829910 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:21.112683058 CEST49706587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:21.118457079 CEST5874970645.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:21.118715048 CEST49706587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:21.788300991 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:21.788857937 CEST49708587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:21.794126034 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:23.661278009 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:23.662590981 CEST49708587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:23.668607950 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:24.105195045 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:24.105433941 CEST49708587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:24.110435009 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:24.487520933 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:24.504914045 CEST49708587192.168.2.745.91.139.1
                                          Jul 25, 2024 23:58:24.515522003 CEST5874970845.91.139.1192.168.2.7
                                          Jul 25, 2024 23:58:24.515579939 CEST49708587192.168.2.745.91.139.1

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 25, 2024 23:58:07.451101065 CEST6292653192.168.2.71.1.1.1
                                          Jul 25, 2024 23:58:07.458317041 CEST53629261.1.1.1192.168.2.7
                                          Jul 25, 2024 23:58:09.145893097 CEST6342853192.168.2.71.1.1.1
                                          Jul 25, 2024 23:58:09.736495972 CEST53634281.1.1.1192.168.2.7

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jul 25, 2024 23:58:07.451101065 CEST192.168.2.71.1.1.10x8c8Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                          Jul 25, 2024 23:58:09.145893097 CEST192.168.2.71.1.1.10xbf90Standard query (0)mail.kabeercommodities.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jul 25, 2024 23:58:07.458317041 CEST1.1.1.1192.168.2.70x8c8No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                          Jul 25, 2024 23:58:07.458317041 CEST1.1.1.1192.168.2.70x8c8No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                          Jul 25, 2024 23:58:07.458317041 CEST1.1.1.1192.168.2.70x8c8No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                          Jul 25, 2024 23:58:09.736495972 CEST1.1.1.1192.168.2.70xbf90No error (0)mail.kabeercommodities.comkabeercommodities.comCNAME (Canonical name)IN (0x0001)false
                                          Jul 25, 2024 23:58:09.736495972 CEST1.1.1.1192.168.2.70xbf90No error (0)kabeercommodities.com45.91.139.1A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • api.ipify.org

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.749704172.67.74.1524437320C:\Users\user\Desktop\LisectAVT_2403002A_133.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-25 21:58:08 UTC155OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                          Host: api.ipify.org
                                          Connection: Keep-Alive
                                          2024-07-25 21:58:08 UTC211INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 21:58:08 GMT
                                          Content-Type: text/plain
                                          Content-Length: 11
                                          Connection: close
                                          Vary: Origin
                                          CF-Cache-Status: DYNAMIC
                                          Server: cloudflare
                                          CF-RAY: 8a8f68ddb8ac7d08-EWR
                                          2024-07-25 21:58:08 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                          Data Ascii: 8.46.123.33


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.749707172.67.74.1524437736C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-25 21:58:13 UTC155OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                          Host: api.ipify.org
                                          Connection: Keep-Alive
                                          2024-07-25 21:58:13 UTC211INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 21:58:13 GMT
                                          Content-Type: text/plain
                                          Content-Length: 11
                                          Connection: close
                                          Vary: Origin
                                          CF-Cache-Status: DYNAMIC
                                          Server: cloudflare
                                          CF-RAY: 8a8f6900ff7d41c6-EWR
                                          2024-07-25 21:58:13 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                          Data Ascii: 8.46.123.33


                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Jul 25, 2024 23:58:10.618215084 CEST5874970645.91.139.1192.168.2.7220-cloud313.corpservers.net ESMTP Exim 4.97.1 #2 Fri, 26 Jul 2024 02:58:10 +0500
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          Jul 25, 2024 23:58:10.618669033 CEST49706587192.168.2.745.91.139.1EHLO 784794
                                          Jul 25, 2024 23:58:11.628674030 CEST5874970645.91.139.1192.168.2.7250-cloud313.corpservers.net Hello localhost [127.0.0.1]
                                          250-STARTTLS
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-AUTH PLAIN LOGIN
                                          250 HELP
                                          Jul 25, 2024 23:58:11.628850937 CEST49706587192.168.2.745.91.139.1STARTTLS
                                          Jul 25, 2024 23:58:12.013339043 CEST5874970645.91.139.1192.168.2.7220 TLS go ahead
                                          Jul 25, 2024 23:58:15.400527000 CEST5874970845.91.139.1192.168.2.7220-cloud313.corpservers.net ESMTP Exim 4.97.1 #2 Fri, 26 Jul 2024 02:58:15 +0500
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          Jul 25, 2024 23:58:15.400880098 CEST49708587192.168.2.745.91.139.1EHLO 784794
                                          Jul 25, 2024 23:58:15.793982983 CEST5874970845.91.139.1192.168.2.7250-cloud313.corpservers.net Hello localhost [127.0.0.1]
                                          250-STARTTLS
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-AUTH PLAIN LOGIN
                                          250 HELP
                                          Jul 25, 2024 23:58:15.794353962 CEST49708587192.168.2.745.91.139.1STARTTLS
                                          Jul 25, 2024 23:58:16.360730886 CEST5874970845.91.139.1192.168.2.7220 TLS go ahead

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:4
                                          Start time:17:58:01
                                          Start date:25/07/2024
                                          Path:C:\Users\user\Desktop\LisectAVT_2403002A_133.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_133.exe"
                                          Imagebase:0x810000
                                          File size:747'018 bytes
                                          MD5 hash:56808E1595200230CAE4AE17B5DBB869
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1344574120.0000000004921000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1344574120.0000000004921000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:17:58:05
                                          Start date:25/07/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe"
                                          Imagebase:0x530000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:12
                                          Start time:17:58:05
                                          Start date:25/07/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff75da10000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:13
                                          Start time:17:58:05
                                          Start date:25/07/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"
                                          Imagebase:0x530000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:14
                                          Start time:17:58:05
                                          Start date:25/07/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff75da10000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:16
                                          Start time:17:58:05
                                          Start date:25/07/2024
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp"
                                          Imagebase:0xc30000
                                          File size:187'904 bytes
                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:17
                                          Start time:17:58:05
                                          Start date:25/07/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff75da10000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:18
                                          Start time:17:58:05
                                          Start date:25/07/2024
                                          Path:C:\Users\user\Desktop\LisectAVT_2403002A_133.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_133.exe"
                                          Imagebase:0xdd0000
                                          File size:747'018 bytes
                                          MD5 hash:56808E1595200230CAE4AE17B5DBB869
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.2527987214.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2527987214.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.2527987214.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:19
                                          Start time:17:58:06
                                          Start date:25/07/2024
                                          Path:C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe
                                          Imagebase:0x360000
                                          File size:747'018 bytes
                                          MD5 hash:56808E1595200230CAE4AE17B5DBB869
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.1403560028.0000000003AE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.1403560028.0000000003AE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Antivirus matches:
                                          • Detection: 100%, Avira
                                          • Detection: 100%, Joe Sandbox ML
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:20
                                          Start time:17:58:08
                                          Start date:25/07/2024
                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                          Imagebase:0x7ff7fb730000
                                          File size:496'640 bytes
                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:21
                                          Start time:17:58:12
                                          Start date:25/07/2024
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpE6EF.tmp"
                                          Imagebase:0xc30000
                                          File size:187'904 bytes
                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:22
                                          Start time:17:58:12
                                          Start date:25/07/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff75da10000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:23
                                          Start time:17:58:12
                                          Start date:25/07/2024
                                          Path:C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"
                                          Imagebase:0x2d0000
                                          File size:747'018 bytes
                                          MD5 hash:56808E1595200230CAE4AE17B5DBB869
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:24
                                          Start time:17:58:12
                                          Start date:25/07/2024
                                          Path:C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"
                                          Imagebase:0xa90000
                                          File size:747'018 bytes
                                          MD5 hash:56808E1595200230CAE4AE17B5DBB869
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.2528847260.000000000307C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.2528847260.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.2528847260.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.2522255682.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.2522255682.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:11.7%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:204
                                            Total number of Limit Nodes:13
                                            execution_graph 31445 f2d630 31448 f2d717 31445->31448 31446 f2d63f 31449 f2d722 31448->31449 31450 f2d6d2 31448->31450 31451 f2d75c 31449->31451 31457 f2d9b8 31449->31457 31461 f2d9c0 31449->31461 31450->31446 31451->31446 31452 f2d754 31452->31451 31453 f2d960 GetModuleHandleW 31452->31453 31454 f2d98d 31453->31454 31454->31446 31458 f2d9c0 31457->31458 31460 f2d9f9 31458->31460 31465 f2d128 31458->31465 31460->31452 31462 f2d9d4 31461->31462 31463 f2d9f9 31462->31463 31464 f2d128 LoadLibraryExW 31462->31464 31463->31452 31464->31463 31466 f2dba0 LoadLibraryExW 31465->31466 31468 f2dc19 31466->31468 31468->31460 31675 85a5278 31677 85a528d 31675->31677 31679 85a5347 31677->31679 31680 85a1a28 31677->31680 31678 85a531c 31681 85a1a4c 31680->31681 31682 85a1a53 31680->31682 31681->31678 31688 85a1a7a 31682->31688 31689 85a04bc 31682->31689 31685 85a04bc GetCurrentThreadId 31685->31688 31686 85a1d8f GetCurrentThreadId 31687 85a1aa6 31686->31687 31687->31678 31688->31686 31688->31687 31690 85a04c7 31689->31690 31691 85a1d8f GetCurrentThreadId 31690->31691 31692 85a1a70 31690->31692 31691->31692 31692->31685 31634 f24668 31635 f24672 31634->31635 31637 f24759 31634->31637 31638 f2477d 31637->31638 31642 f24868 31638->31642 31646 f24858 31638->31646 31644 f2488f 31642->31644 31643 f2496c 31643->31643 31644->31643 31650 f244b4 31644->31650 31648 f24868 31646->31648 31647 f2496c 31648->31647 31649 f244b4 CreateActCtxA 31648->31649 31649->31647 31651 f258f8 CreateActCtxA 31650->31651 31653 f259bb 31651->31653 31693 85a1870 31694 85a187d 31693->31694 31695 85a188f 31694->31695 31697 85a1a00 31694->31697 31700 85a1a28 2 API calls 31697->31700 31701 85a1a18 31697->31701 31698 85a1a16 31698->31695 31700->31698 31703 85a1a28 31701->31703 31702 85a1a4c 31702->31698 31703->31702 31704 85a04bc GetCurrentThreadId 31703->31704 31707 85a1a7a 31703->31707 31705 85a1a70 31704->31705 31706 85a04bc GetCurrentThreadId 31705->31706 31706->31707 31708 85a1d8f GetCurrentThreadId 31707->31708 31709 85a1aa6 31707->31709 31708->31709 31709->31698 31710 f2fcc8 31711 f2fc5f DuplicateHandle 31710->31711 31714 f2fccb 31710->31714 31713 f2fc9e 31711->31713 31654 2a539f8 31657 2a5388c 31654->31657 31655 2a53a7a 31656 2a53b4f 31657->31656 31658 2a56380 12 API calls 31657->31658 31659 2a56370 12 API calls 31657->31659 31660 2a563de 12 API calls 31657->31660 31658->31655 31659->31655 31660->31655 31661 2a57538 31662 2a576c3 31661->31662 31663 2a5755e 31661->31663 31663->31662 31665 2a547f8 31663->31665 31666 2a577b8 PostMessageW 31665->31666 31667 2a57824 31666->31667 31667->31663 31469 2a5392a 31472 2a5388c 31469->31472 31470 2a53a7a 31471 2a53a24 31471->31471 31472->31471 31476 2a56380 31472->31476 31492 2a563de 31472->31492 31509 2a56370 31472->31509 31477 2a5639a 31476->31477 31480 2a563be 31477->31480 31525 2a56773 31477->31525 31529 2a568f1 31477->31529 31534 2a56c71 31477->31534 31538 2a56d31 31477->31538 31543 2a568b7 31477->31543 31548 2a56915 31477->31548 31553 2a56c4f 31477->31553 31558 2a56a6c 31477->31558 31563 2a56ba2 31477->31563 31568 2a56aa1 31477->31568 31572 2a5699d 31477->31572 31577 2a56853 31477->31577 31582 2a56a33 31477->31582 31480->31470 31493 2a5636c 31492->31493 31495 2a563e1 31492->31495 31494 2a563be 31493->31494 31496 2a56aa1 2 API calls 31493->31496 31497 2a56ba2 2 API calls 31493->31497 31498 2a56a6c 2 API calls 31493->31498 31499 2a56c4f 2 API calls 31493->31499 31500 2a56915 2 API calls 31493->31500 31501 2a568b7 2 API calls 31493->31501 31502 2a56d31 2 API calls 31493->31502 31503 2a56c71 2 API calls 31493->31503 31504 2a568f1 2 API calls 31493->31504 31505 2a56773 2 API calls 31493->31505 31506 2a56a33 2 API calls 31493->31506 31507 2a56853 2 API calls 31493->31507 31508 2a5699d 2 API calls 31493->31508 31494->31470 31496->31494 31497->31494 31498->31494 31499->31494 31500->31494 31501->31494 31502->31494 31503->31494 31504->31494 31505->31494 31506->31494 31507->31494 31508->31494 31510 2a56380 31509->31510 31511 2a563be 31510->31511 31512 2a56aa1 2 API calls 31510->31512 31513 2a56ba2 2 API calls 31510->31513 31514 2a56a6c 2 API calls 31510->31514 31515 2a56c4f 2 API calls 31510->31515 31516 2a56915 2 API calls 31510->31516 31517 2a568b7 2 API calls 31510->31517 31518 2a56d31 2 API calls 31510->31518 31519 2a56c71 2 API calls 31510->31519 31520 2a568f1 2 API calls 31510->31520 31521 2a56773 2 API calls 31510->31521 31522 2a56a33 2 API calls 31510->31522 31523 2a56853 2 API calls 31510->31523 31524 2a5699d 2 API calls 31510->31524 31511->31470 31512->31511 31513->31511 31514->31511 31515->31511 31516->31511 31517->31511 31518->31511 31519->31511 31520->31511 31521->31511 31522->31511 31523->31511 31524->31511 31586 2a53464 31525->31586 31590 2a53470 31525->31590 31530 2a568f6 31529->31530 31531 2a5698a 31530->31531 31594 2a52730 31530->31594 31598 2a52728 31530->31598 31531->31480 31602 2a53120 31534->31602 31606 2a53128 31534->31606 31535 2a56c8f 31539 2a5692c 31538->31539 31540 2a5694d 31538->31540 31610 2a531e0 31539->31610 31614 2a531e8 31539->31614 31540->31480 31544 2a56859 31543->31544 31545 2a567ec 31544->31545 31618 2a532d1 31544->31618 31622 2a532d8 31544->31622 31545->31480 31549 2a5691b 31548->31549 31551 2a531e0 WriteProcessMemory 31549->31551 31552 2a531e8 WriteProcessMemory 31549->31552 31550 2a5694d 31550->31480 31551->31550 31552->31550 31554 2a56c59 31553->31554 31556 2a531e0 WriteProcessMemory 31554->31556 31557 2a531e8 WriteProcessMemory 31554->31557 31555 2a57006 31556->31555 31557->31555 31559 2a56a75 31558->31559 31561 2a531e0 WriteProcessMemory 31559->31561 31562 2a531e8 WriteProcessMemory 31559->31562 31560 2a56a8d 31561->31560 31562->31560 31564 2a56b37 31563->31564 31565 2a56a8d 31564->31565 31566 2a531e0 WriteProcessMemory 31564->31566 31567 2a531e8 WriteProcessMemory 31564->31567 31566->31565 31567->31565 31626 2a527e0 31568->31626 31630 2a527d8 31568->31630 31569 2a56abb 31573 2a569a3 31572->31573 31575 2a52730 ResumeThread 31573->31575 31576 2a52728 ResumeThread 31573->31576 31574 2a5698a 31574->31480 31575->31574 31576->31574 31578 2a56859 31577->31578 31580 2a532d1 ReadProcessMemory 31578->31580 31581 2a532d8 ReadProcessMemory 31578->31581 31579 2a56878 31579->31480 31580->31579 31581->31579 31584 2a527e0 Wow64SetThreadContext 31582->31584 31585 2a527d8 Wow64SetThreadContext 31582->31585 31583 2a56a4d 31583->31480 31584->31583 31585->31583 31587 2a5346a CreateProcessA 31586->31587 31589 2a536bb 31587->31589 31591 2a534a1 CreateProcessA 31590->31591 31593 2a536bb 31591->31593 31595 2a52770 ResumeThread 31594->31595 31597 2a527a1 31595->31597 31597->31531 31599 2a52730 ResumeThread 31598->31599 31601 2a527a1 31599->31601 31601->31531 31603 2a53128 VirtualAllocEx 31602->31603 31605 2a531a5 31603->31605 31605->31535 31607 2a53168 VirtualAllocEx 31606->31607 31609 2a531a5 31607->31609 31609->31535 31611 2a531e8 WriteProcessMemory 31610->31611 31613 2a53287 31611->31613 31613->31540 31615 2a53230 WriteProcessMemory 31614->31615 31617 2a53287 31615->31617 31617->31540 31619 2a532d8 ReadProcessMemory 31618->31619 31621 2a53367 31619->31621 31621->31545 31623 2a53323 ReadProcessMemory 31622->31623 31625 2a53367 31623->31625 31625->31545 31627 2a52825 Wow64SetThreadContext 31626->31627 31629 2a5286d 31627->31629 31629->31569 31631 2a527e0 Wow64SetThreadContext 31630->31631 31633 2a5286d 31631->31633 31633->31569

                                            Executed Functions

                                            Function 085AB668 Relevance: 18.3, Strings: 12, Instructions: 3314COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1347765290.00000000085A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_85a0000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $($($-$-$.$.$.$7$7$k$$Iq
                                            • API String ID: 0-124126898
                                            • Opcode ID: 805fd1893793c30de891b1fe01e4a71abc1f12d7312572cbf8e1abe55fcdf728
                                            • Instruction ID: f87bc9ffd588b9f41c08f17e077a6fee3bbb4c0a13d97862ba2efbdf138a1ed6
                                            • Opcode Fuzzy Hash: 805fd1893793c30de891b1fe01e4a71abc1f12d7312572cbf8e1abe55fcdf728
                                            • Instruction Fuzzy Hash: 24730534A107198FDB64EF28C894B9AB7B2FF89300F5045E9E549AB351DB71AE81CF41
                                            Function 085AB658 Relevance: 18.3, Strings: 12, Instructions: 3288COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 954 85ab658-85ab6c3 958 85ab6cd-85ab6d1 call 85ab1a0 954->958 960 85ab6d6-85ab97c call 85ab1b0 958->960 1017 85ab982-85ab994 960->1017 1018 85aba13-85abb2f 960->1018 1019 85ab99a-85ab9b6 1017->1019 1020 85aef90-85aefaf 1017->1020 1060 85abb36-85abb3c 1018->1060 1019->1020 1021 85ab9bc-85ab9d3 1019->1021 1031 85aefb9-85aefbd call 85ab31c 1020->1031 1021->1020 1024 85ab9d9-85ab9ec 1021->1024 1026 85ab9ee-85ab9f5 1024->1026 1027 85ab9f6-85aba02 1024->1027 1026->1027 1027->1020 1029 85aba08-85aba0d 1027->1029 1029->1017 1029->1018 1034 85aefc2-85aefcf call 85ab32c 1031->1034 1038 85aefd4-85aefd6 call 85ab33c 1034->1038 1041 85aefdb-85aefde 1038->1041 1061 85abb45-85abb51 1060->1061 1062 85abb5b-85abb5f 1061->1062 1063 85abb65-85abb69 1062->1063 1063->1020 1064 85abb6f-85abc33 1063->1064 1077 85abc3d-85abc55 1064->1077 1078 85abc5b-85aef8f call 85ab1c0 call 85ab1d0 call 85ab1e0 call 85ab1f0 call 85ab200 call 85ab210 call 85ab220 call 85ab230 * 4 call 85ab240 * 16 call 85ab258 call 85ab268 * 4 call 85ab278 call 85a02a0 call 85ab278 call 85a02a0 call 85ab278 call 85a02a0 call 85ab278 call 85a02a0 call 85ab278 call 85a02a0 call 85ab278 call 85a02a0 call 85ab278 call 85a02a0 call 85ab278 call 85a02a0 call 85ab278 call 85a02a0 call 85ab278 call 85a02a0 call 85ab278 call 85a02a0 call 85ab278 call 85a02a0 call 85ab278 call 85a02a0 call 85ab278 call 85a02a0 call 85ab278 call 85a02a0 call 85ab278 call 85a02a0 call 85ab288 call 85ab298 * 3 call 85ab2a8 call 85ab2b8 call 85ab2c8 1077->1078
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1347765290.00000000085A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_85a0000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $($($-$-$.$.$.$7$7$k$$Iq
                                            • API String ID: 0-124126898
                                            • Opcode ID: d7a2cbceca3ab3be2c85a11ae5cdd1631b5be3cbd8d183329c812e5359ec40ac
                                            • Instruction ID: a0082df26633bf40d83c2388310e956985f3e55391ffb02b95cba52aa1a4759b
                                            • Opcode Fuzzy Hash: d7a2cbceca3ab3be2c85a11ae5cdd1631b5be3cbd8d183329c812e5359ec40ac
                                            • Instruction Fuzzy Hash: 6E730534A107198FDB64EF28C894B9AB7B2FF89300F5045E9E449AB351DB71AE81CF41
                                            Function 00F274C3 Relevance: 4.7, Strings: 3, Instructions: 944COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1852 f274c3-f274c5 1853 f27472 1852->1853 1854 f274c7-f274c9 1852->1854 1855 f27476-f27496 1853->1855 1854->1855 1856 f274cb-f27534 1854->1856 1862 f27498-f274a0 1855->1862 1859 f2753a-f27696 1856->1859 1860 f27a5f-f27a7c 1856->1860 1990 f276d0-f276d2 1859->1990 1991 f27698-f276ce 1859->1991 1864 f27af5-f27b3f 1860->1864 1865 f27a7e-f27aa2 1860->1865 1862->1852 1876 f27b41-f27b47 1864->1876 1877 f27b4c-f27b54 1864->1877 1870 f280e0-f2810f 1865->1870 1871 f27aa8-f27ab3 1865->1871 1888 f28111-f28119 1870->1888 1889 f28129-f2814f 1870->1889 1871->1870 1874 f27ab9-f27ad3 1871->1874 1874->1870 1878 f27ad9-f27af4 call f20210 1874->1878 1879 f27be2-f27c25 1876->1879 1880 f27b56-f27b78 1877->1880 1881 f27b7a 1877->1881 1894 f27caa-f27d25 1879->1894 1895 f27c2b-f27c5b 1879->1895 1885 f27b81-f27b83 1880->1885 1881->1885 1891 f27b85-f27b87 1885->1891 1892 f27b89-f27b9f 1885->1892 1888->1889 1896 f2811b-f28128 1888->1896 1901 f28151-f28161 1889->1901 1902 f2818f-f281a7 1889->1902 1891->1879 1892->1879 1904 f27ba1-f27ba4 1892->1904 1894->1870 1906 f27d2b-f27d54 1894->1906 1895->1870 1905 f27c61-f27c68 1895->1905 1917 f28163-f28177 1901->1917 1918 f2817e-f28185 1901->1918 1915 f281c4-f281c8 1902->1915 1916 f281a9-f281bd 1902->1916 1907 f27baa-f27bb2 1904->1907 1905->1870 1909 f27c6e-f27c7a 1905->1909 1906->1870 1912 f27d5a-f27d67 1906->1912 1907->1870 1913 f27bb8-f27be0 1907->1913 1909->1870 1914 f27c80-f27c8c 1909->1914 1912->1870 1919 f27d6d-f27d89 1912->1919 1913->1879 1913->1907 1914->1870 1923 f27c92-f27ca2 1914->1923 1915->1902 1924 f281ca-f281ce 1915->1924 1916->1915 1917->1918 1925 f28187-f2818e 1918->1925 1926 f281cf-f2823a 1918->1926 1921 f27e15-f27e42 1919->1921 1922 f27d8f-f27d95 1919->1922 1930 f27e44-f27e48 1921->1930 1931 f27e9a-f27eac 1921->1931 1927 f27d97-f27dbe 1922->1927 1928 f27dc4-f27dd9 1922->1928 1923->1894 1927->1928 1928->1870 1935 f27ddf-f27dfb 1928->1935 1930->1931 1936 f27e4a 1930->1936 1937 f27eb5-f27eb9 1931->1937 1938 f27eae-f27eb3 1931->1938 1935->1870 1940 f27e01-f27e0f 1935->1940 1941 f27e4f-f27e5d 1936->1941 1937->1870 1945 f27ebf-f27ec7 1937->1945 1944 f27f1b-f27f22 1938->1944 1940->1921 1940->1922 1941->1870 1950 f27e63-f27e78 1941->1950 1948 f27f24-f27f32 1944->1948 1949 f27f8a-f27faa 1944->1949 1945->1870 1946 f27ecd-f27eda 1945->1946 1946->1870 1951 f27ee0-f27eed 1946->1951 1948->1949 1954 f27f34-f27f4c 1948->1954 1966 f27fad-f27fd8 1949->1966 1950->1870 1955 f27e7e-f27e8b 1950->1955 1951->1870 1956 f27ef3-f27f10 1951->1956 1963 f27f78-f27f88 call f20210 1954->1963 1964 f27f4e 1954->1964 1955->1870 1958 f27e91-f27e98 1955->1958 1956->1944 1958->1931 1958->1941 1963->1966 1968 f27f51-f27f53 1964->1968 1970 f28063-f28076 1966->1970 1971 f27fde-f28060 1966->1971 1968->1870 1972 f27f59-f27f67 1968->1972 1973 f280d5-f280df 1970->1973 1974 f28078-f280b1 1970->1974 1971->1970 1972->1870 1976 f27f6d-f27f76 1972->1976 1974->1973 1987 f280b3-f280cf 1974->1987 1976->1963 1976->1968 1987->1973 1993 f276d4-f276d6 1990->1993 1994 f276d8-f276e2 1990->1994 1991->1990 1996 f276e4-f276fa 1993->1996 1994->1996 1997 f27700-f27708 1996->1997 1998 f276fc-f276fe 1996->1998 2000 f2770a-f2770f 1997->2000 1998->2000 2003 f27711-f27720 2000->2003 2004 f27726-f2774d 2000->2004 2003->2004 2007 f27785-f2778f 2004->2007 2008 f2774f-f2775b 2004->2008 2009 f27791 2007->2009 2010 f27798-f27821 2007->2010 2008->2007 2011 f2775d-f2776a 2008->2011 2009->2010 2021 f27823-f2785d 2010->2021 2022 f2785f-f2786d 2010->2022 2014 f27770-f2777f 2011->2014 2015 f2776c-f2776e 2011->2015 2014->2007 2015->2007 2025 f27878-f2788c 2021->2025 2022->2025 2028 f27897-f278b2 2025->2028 2043 f278b5 call f28940 2028->2043 2044 f278b5 call f28930 2028->2044 2045 f278b5 call f289e1 2028->2045 2046 f278b5 call f2888f 2028->2046 2029 f278bb-f27912 2032 f2791a-f27920 2029->2032 2041 f27926 call f29260 2032->2041 2042 f27926 call f29251 2032->2042 2033 f2792c-f2792e 2034 f27930-f2795a 2033->2034 2035 f2795c-f27978 2033->2035 2034->2035 2038 f27986 2035->2038 2039 f2797a 2035->2039 2038->1860 2039->2038 2041->2033 2042->2033 2043->2029 2044->2029 2045->2029 2046->2029
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LRq$LRq$\sq
                                            • API String ID: 0-3677092283
                                            • Opcode ID: 623037530593fc054c7a81a9a441110ec1a4f0521629b021e929fdc77bcb8b57
                                            • Instruction ID: e97617e84f94f8622d9ae43b8e99b0ec26a43e00922bd2500fc70e0634f8c646
                                            • Opcode Fuzzy Hash: 623037530593fc054c7a81a9a441110ec1a4f0521629b021e929fdc77bcb8b57
                                            • Instruction Fuzzy Hash: 62827B75E042298FCB14DF69E884AAEBBF2FF88310F14C569D405EB255DB34AD45CB90
                                            Function 00F2750A Relevance: 2.8, Strings: 2, Instructions: 313COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2113 f2750a-f27520 2115 f27522-f2752c 2113->2115 2116 f2752d-f27534 2113->2116 2115->2116 2117 f2753a-f27696 2116->2117 2118 f27a5f-f27a7c 2116->2118 2246 f276d0-f276d2 2117->2246 2247 f27698-f276ce 2117->2247 2121 f27af5-f27b3f 2118->2121 2122 f27a7e-f27aa2 2118->2122 2132 f27b41-f27b47 2121->2132 2133 f27b4c-f27b54 2121->2133 2126 f280e0-f2810f 2122->2126 2127 f27aa8-f27ab3 2122->2127 2144 f28111-f28119 2126->2144 2145 f28129-f2814f 2126->2145 2127->2126 2130 f27ab9-f27ad3 2127->2130 2130->2126 2134 f27ad9-f27af4 call f20210 2130->2134 2135 f27be2-f27c25 2132->2135 2136 f27b56-f27b78 2133->2136 2137 f27b7a 2133->2137 2150 f27caa-f27d25 2135->2150 2151 f27c2b-f27c5b 2135->2151 2141 f27b81-f27b83 2136->2141 2137->2141 2147 f27b85-f27b87 2141->2147 2148 f27b89-f27b9f 2141->2148 2144->2145 2152 f2811b-f28128 2144->2152 2157 f28151-f28161 2145->2157 2158 f2818f-f281a7 2145->2158 2147->2135 2148->2135 2160 f27ba1-f27ba4 2148->2160 2150->2126 2162 f27d2b-f27d54 2150->2162 2151->2126 2161 f27c61-f27c68 2151->2161 2173 f28163-f28177 2157->2173 2174 f2817e-f28185 2157->2174 2171 f281c4-f281c8 2158->2171 2172 f281a9-f281bd 2158->2172 2163 f27baa-f27bb2 2160->2163 2161->2126 2165 f27c6e-f27c7a 2161->2165 2162->2126 2168 f27d5a-f27d67 2162->2168 2163->2126 2169 f27bb8-f27be0 2163->2169 2165->2126 2170 f27c80-f27c8c 2165->2170 2168->2126 2175 f27d6d-f27d89 2168->2175 2169->2135 2169->2163 2170->2126 2179 f27c92-f27ca2 2170->2179 2171->2158 2180 f281ca-f281ce 2171->2180 2172->2171 2173->2174 2181 f28187-f2818e 2174->2181 2182 f281cf-f2823a 2174->2182 2177 f27e15-f27e42 2175->2177 2178 f27d8f-f27d95 2175->2178 2186 f27e44-f27e48 2177->2186 2187 f27e9a-f27eac 2177->2187 2183 f27d97-f27dbe 2178->2183 2184 f27dc4-f27dd9 2178->2184 2179->2150 2183->2184 2184->2126 2191 f27ddf-f27dfb 2184->2191 2186->2187 2192 f27e4a 2186->2192 2193 f27eb5-f27eb9 2187->2193 2194 f27eae-f27eb3 2187->2194 2191->2126 2196 f27e01-f27e0f 2191->2196 2197 f27e4f-f27e5d 2192->2197 2193->2126 2201 f27ebf-f27ec7 2193->2201 2200 f27f1b-f27f22 2194->2200 2196->2177 2196->2178 2197->2126 2206 f27e63-f27e78 2197->2206 2204 f27f24-f27f32 2200->2204 2205 f27f8a-f27faa 2200->2205 2201->2126 2202 f27ecd-f27eda 2201->2202 2202->2126 2207 f27ee0-f27eed 2202->2207 2204->2205 2210 f27f34-f27f4c 2204->2210 2222 f27fad-f27fd8 2205->2222 2206->2126 2211 f27e7e-f27e8b 2206->2211 2207->2126 2212 f27ef3-f27f10 2207->2212 2219 f27f78-f27f88 call f20210 2210->2219 2220 f27f4e 2210->2220 2211->2126 2214 f27e91-f27e98 2211->2214 2212->2200 2214->2187 2214->2197 2219->2222 2224 f27f51-f27f53 2220->2224 2226 f28063-f28076 2222->2226 2227 f27fde-f28060 2222->2227 2224->2126 2228 f27f59-f27f67 2224->2228 2229 f280d5-f280df 2226->2229 2230 f28078-f280b1 2226->2230 2227->2226 2228->2126 2232 f27f6d-f27f76 2228->2232 2230->2229 2243 f280b3-f280cf 2230->2243 2232->2219 2232->2224 2243->2229 2249 f276d4-f276d6 2246->2249 2250 f276d8-f276e2 2246->2250 2247->2246 2252 f276e4-f276fa 2249->2252 2250->2252 2253 f27700-f27708 2252->2253 2254 f276fc-f276fe 2252->2254 2256 f2770a-f2770f 2253->2256 2254->2256 2259 f27711-f27720 2256->2259 2260 f27726-f2774d 2256->2260 2259->2260 2263 f27785-f2778f 2260->2263 2264 f2774f-f2775b 2260->2264 2265 f27791 2263->2265 2266 f27798-f27821 2263->2266 2264->2263 2267 f2775d-f2776a 2264->2267 2265->2266 2277 f27823-f2785d 2266->2277 2278 f2785f-f2786d 2266->2278 2270 f27770-f2777f 2267->2270 2271 f2776c-f2776e 2267->2271 2270->2263 2271->2263 2281 f27878-f2788c 2277->2281 2278->2281 2284 f27897-f278b2 2281->2284 2299 f278b5 call f28940 2284->2299 2300 f278b5 call f28930 2284->2300 2301 f278b5 call f289e1 2284->2301 2302 f278b5 call f2888f 2284->2302 2285 f278bb-f27912 2288 f2791a-f27920 2285->2288 2297 f27926 call f29260 2288->2297 2298 f27926 call f29251 2288->2298 2289 f2792c-f2792e 2290 f27930-f2795a 2289->2290 2291 f2795c-f27978 2289->2291 2290->2291 2294 f27986 2291->2294 2295 f2797a 2291->2295 2294->2118 2295->2294 2297->2289 2298->2289 2299->2285 2300->2285 2301->2285 2302->2285
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LRq$\sq
                                            • API String ID: 0-576302416
                                            • Opcode ID: cafc0b5a1d4f65734c0fff7b9ab88e4fe9633108d5c5089e06aae40e96a9566a
                                            • Instruction ID: 29271aff1538264dc8f3fb3b0d7afe0d23c84fbf14b87dcf3ea62d34975579b4
                                            • Opcode Fuzzy Hash: cafc0b5a1d4f65734c0fff7b9ab88e4fe9633108d5c5089e06aae40e96a9566a
                                            • Instruction Fuzzy Hash: A0C16D35E143299FDB14DF79E885AAEBBF2BF88300F158629D405EB354DB34AD018B91
                                            Function 00F28C52 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: f05c2a3e3ca22225ce75800851b814213b4340275b1debe41f5ce82a4815872e
                                            • Instruction ID: 88f8f29b358d266d96414aae4ad89cbd4d8ad2400e6d9dd49b2d60ac372bd658
                                            • Opcode Fuzzy Hash: f05c2a3e3ca22225ce75800851b814213b4340275b1debe41f5ce82a4815872e
                                            • Instruction Fuzzy Hash: 34518D71F001258FCB14DFA9E8846AEBBE2FBC8255B1486B9D519CB345DB30EC568B90
                                            Function 00F28940 Relevance: .2, Instructions: 235COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 185c288b416da8a42a369a0efc8fcc6febf6a271ed2f24745628e4f37f37a3c9
                                            • Instruction ID: d752d60c80bd35e7f24f3cbbf1a277229a7f4e608492ae39697ad39b83d3bca5
                                            • Opcode Fuzzy Hash: 185c288b416da8a42a369a0efc8fcc6febf6a271ed2f24745628e4f37f37a3c9
                                            • Instruction Fuzzy Hash: 26818F32F112258FD714DB69D880B5EB7E3AFC8750F1A8165E409EB35ADE34EC429B90
                                            Function 00F289E1 Relevance: .2, Instructions: 188COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bec4d42127897b7d44cfe66deff90b7ffc962fc6ab542fd763cb17a8f39be9ac
                                            • Instruction ID: 0d1c2dd460bfa0b719a71093b3a33d601ccc56a92e6bc0b02b207e9511efc423
                                            • Opcode Fuzzy Hash: bec4d42127897b7d44cfe66deff90b7ffc962fc6ab542fd763cb17a8f39be9ac
                                            • Instruction Fuzzy Hash: BC614C32F116248FD714DB69D880B9EB7E3AFC8710F1A8165E409AB359DE34EC429B90
                                            Function 02A5696C Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6057a6bd13fa9b136cdadf49b544373bcbd74e25c110853a5091b4c9caff83ad
                                            • Instruction ID: e0ed121e3fc316096a4cd9f647e3900198988655e15a8bfd6e17319b78ce76b7
                                            • Opcode Fuzzy Hash: 6057a6bd13fa9b136cdadf49b544373bcbd74e25c110853a5091b4c9caff83ad
                                            • Instruction Fuzzy Hash: 4CA001668CE039A0944198106A140BBC1BD625B140A8570409C0B3202B9C308418890C
                                            Function 00F2F9B3 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1664 f2f9b3-f2fa4f GetCurrentProcess 1668 f2fa51-f2fa57 1664->1668 1669 f2fa58-f2fa8c GetCurrentThread 1664->1669 1668->1669 1670 f2fa95-f2fac9 GetCurrentProcess 1669->1670 1671 f2fa8e-f2fa94 1669->1671 1672 f2fad2-f2faea 1670->1672 1673 f2facb-f2fad1 1670->1673 1671->1670 1685 f2faed call f2fb90 1672->1685 1686 f2faed call f2ff8e 1672->1686 1673->1672 1677 f2faf3-f2fb22 GetCurrentThreadId 1678 f2fb24-f2fb2a 1677->1678 1679 f2fb2b-f2fb8d 1677->1679 1678->1679 1685->1677 1686->1677
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 00F2FA3E
                                            • GetCurrentThread.KERNEL32 ref: 00F2FA7B
                                            • GetCurrentProcess.KERNEL32 ref: 00F2FAB8
                                            • GetCurrentThreadId.KERNEL32 ref: 00F2FB11
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 88d7df1690381a8350e5604bb180aee9c9fce226eac12c84c10ba8fb396b1f4c
                                            • Instruction ID: a57fe28151adf7db3731b319870b2f863e06ccfa8d519f4674263ec3d7f1f232
                                            • Opcode Fuzzy Hash: 88d7df1690381a8350e5604bb180aee9c9fce226eac12c84c10ba8fb396b1f4c
                                            • Instruction Fuzzy Hash: DB5153B1D107498FEB14CFA9D548BDEBBF1EF88304F2084A9E408AB2A1D7745948CF65
                                            Function 00F2F9C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1687 f2f9c0-f2fa4f GetCurrentProcess 1691 f2fa51-f2fa57 1687->1691 1692 f2fa58-f2fa8c GetCurrentThread 1687->1692 1691->1692 1693 f2fa95-f2fac9 GetCurrentProcess 1692->1693 1694 f2fa8e-f2fa94 1692->1694 1695 f2fad2-f2faea 1693->1695 1696 f2facb-f2fad1 1693->1696 1694->1693 1708 f2faed call f2fb90 1695->1708 1709 f2faed call f2ff8e 1695->1709 1696->1695 1700 f2faf3-f2fb22 GetCurrentThreadId 1701 f2fb24-f2fb2a 1700->1701 1702 f2fb2b-f2fb8d 1700->1702 1701->1702 1708->1700 1709->1700
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 00F2FA3E
                                            • GetCurrentThread.KERNEL32 ref: 00F2FA7B
                                            • GetCurrentProcess.KERNEL32 ref: 00F2FAB8
                                            • GetCurrentThreadId.KERNEL32 ref: 00F2FB11
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 74fdcf8ea7b9275fba0c0f94c9b5cca94571390694d6dcaa9c8a2797a5eaccc7
                                            • Instruction ID: 1c980220e5fe2395bf53f71df12ebfdc900119883ea2deb1b918921b9b23ec2c
                                            • Opcode Fuzzy Hash: 74fdcf8ea7b9275fba0c0f94c9b5cca94571390694d6dcaa9c8a2797a5eaccc7
                                            • Instruction Fuzzy Hash: 305143B1D107198FEB14CFA9D548B9EBBF1EF88314F208469E408AB391D7749984CF65
                                            Function 085A1A28 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 253COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1710 85a1a28-85a1a4a 1711 85a1a4c-85a1a52 1710->1711 1712 85a1a53-85a1a5d 1710->1712 1714 85a1c99-85a1cc5 1712->1714 1715 85a1a63-85a1a7c call 85a04bc * 2 1712->1715 1722 85a1ccc-85a1d01 1714->1722 1715->1722 1723 85a1a82-85a1aa4 1715->1723 1742 85a1d48-85a1d4b 1722->1742 1730 85a1aa6-85a1ab4 call 85a04cc 1723->1730 1731 85a1ab5-85a1ac4 1723->1731 1736 85a1ae9-85a1b0a 1731->1736 1737 85a1ac6-85a1ae3 1731->1737 1747 85a1b5a-85a1b82 1736->1747 1748 85a1b0c-85a1b1d 1736->1748 1737->1736 1744 85a1d4c-85a1d78 1742->1744 1745 85a1d14-85a1d45 1742->1745 1752 85a1d7a-85a1d8d 1744->1752 1753 85a1d8f-85a1db5 GetCurrentThreadId 1744->1753 1745->1742 1781 85a1b85 call 85a1dd8 1747->1781 1782 85a1b85 call 85a1de3 1747->1782 1783 85a1b85 call 85a1f10 1747->1783 1755 85a1b1f-85a1b37 call 85a04dc 1748->1755 1756 85a1b4c-85a1b50 1748->1756 1761 85a1dc5-85a1dd2 1752->1761 1757 85a1dbe 1753->1757 1758 85a1db7-85a1dbd 1753->1758 1769 85a1b39-85a1b3a 1755->1769 1770 85a1b3c-85a1b4a 1755->1770 1756->1747 1757->1761 1758->1757 1764 85a1b88-85a1bad 1772 85a1baf-85a1bc4 1764->1772 1773 85a1bf3 1764->1773 1769->1770 1770->1755 1770->1756 1772->1773 1776 85a1bc6-85a1be9 1772->1776 1773->1714 1776->1773 1780 85a1beb 1776->1780 1780->1773 1781->1764 1782->1764 1783->1764
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1347765290.00000000085A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_85a0000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: |O$|O
                                            • API String ID: 0-1286496762
                                            • Opcode ID: c4dfdb9b3306ccfd21c7e99398b4ea844cfc6ef800da059e6690e41774249c5f
                                            • Instruction ID: 8a3baa6a941382778d6a581ff02648866ff89f251bc199dc03ffd97d554ecb7f
                                            • Opcode Fuzzy Hash: c4dfdb9b3306ccfd21c7e99398b4ea844cfc6ef800da059e6690e41774249c5f
                                            • Instruction Fuzzy Hash: 81A16D35A40618CFCB14DFA8D594AADBBF1FF88311F2444A9D406AB391CB35AD41CFA1
                                            Function 00F2D717 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 229COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1784 f2d717-f2d720 1785 f2d722-f2d737 1784->1785 1786 f2d6e7-f2d6e8 1784->1786 1789 f2d763-f2d767 1785->1789 1790 f2d739-f2d746 call f2ac7c 1785->1790 1787 f2d6d2-f2d6e6 1786->1787 1788 f2d6e9 1786->1788 1794 f2d6ee-f2d6f5 1787->1794 1788->1794 1791 f2d77b-f2d7bc 1789->1791 1792 f2d769-f2d773 1789->1792 1799 f2d748 1790->1799 1800 f2d75c 1790->1800 1804 f2d7c9-f2d7d7 1791->1804 1805 f2d7be-f2d7c6 1791->1805 1792->1791 1797 f2d6f7-f2d702 1794->1797 1798 f2d704-f2d70c 1794->1798 1803 f2d70f-f2d714 1797->1803 1798->1803 1848 f2d74e call f2d9c0 1799->1848 1849 f2d74e call f2d9b8 1799->1849 1800->1789 1807 f2d7fb-f2d7fd 1804->1807 1808 f2d7d9-f2d7de 1804->1808 1805->1804 1806 f2d754-f2d756 1806->1800 1811 f2d898-f2d958 1806->1811 1812 f2d800-f2d807 1807->1812 1809 f2d7e0-f2d7e7 call f2d0cc 1808->1809 1810 f2d7e9 1808->1810 1814 f2d7eb-f2d7f9 1809->1814 1810->1814 1843 f2d960-f2d98b GetModuleHandleW 1811->1843 1844 f2d95a-f2d95d 1811->1844 1815 f2d814-f2d81b 1812->1815 1816 f2d809-f2d811 1812->1816 1814->1812 1818 f2d828-f2d831 call f2d0dc 1815->1818 1819 f2d81d-f2d825 1815->1819 1816->1815 1824 f2d833-f2d83b 1818->1824 1825 f2d83e-f2d843 1818->1825 1819->1818 1824->1825 1827 f2d861-f2d865 1825->1827 1828 f2d845-f2d84c 1825->1828 1850 f2d868 call f2dcc0 1827->1850 1851 f2d868 call f2dcbb 1827->1851 1828->1827 1829 f2d84e-f2d85e call f2d0ec call f2d0fc 1828->1829 1829->1827 1832 f2d86b-f2d86e 1834 f2d870-f2d88e 1832->1834 1835 f2d891-f2d897 1832->1835 1834->1835 1845 f2d994-f2d9a8 1843->1845 1846 f2d98d-f2d993 1843->1846 1844->1843 1846->1845 1848->1806 1849->1806 1850->1832 1851->1832
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00F2D97E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID: |O$|O
                                            • API String ID: 4139908857-1286496762
                                            • Opcode ID: 4df2a0993881d5aafb33ada6748fb90a4d1dd43bb8119ec3696b82fe984033b2
                                            • Instruction ID: 4a03260458d177083b6e4d716a3b2160a1edaaf0e2f24f4ce11180658e891b91
                                            • Opcode Fuzzy Hash: 4df2a0993881d5aafb33ada6748fb90a4d1dd43bb8119ec3696b82fe984033b2
                                            • Instruction Fuzzy Hash: B2917B70A00B148FD725CF29E44579ABBF1FF88310F04892EE486DBA51D739E846CB91
                                            Function 02A53464 Relevance: 1.8, APIs: 1, Instructions: 270processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2397 2a53464-2a53468 2398 2a534a1-2a53505 2397->2398 2399 2a5346a-2a5349b 2397->2399 2403 2a53507-2a53511 2398->2403 2404 2a5353e-2a5355e 2398->2404 2399->2398 2403->2404 2405 2a53513-2a53515 2403->2405 2411 2a53597-2a535c6 2404->2411 2412 2a53560-2a5356a 2404->2412 2406 2a53517-2a53521 2405->2406 2407 2a53538-2a5353b 2405->2407 2409 2a53525-2a53534 2406->2409 2410 2a53523 2406->2410 2407->2404 2409->2409 2413 2a53536 2409->2413 2410->2409 2418 2a535ff-2a536b9 CreateProcessA 2411->2418 2419 2a535c8-2a535d2 2411->2419 2412->2411 2414 2a5356c-2a5356e 2412->2414 2413->2407 2416 2a53591-2a53594 2414->2416 2417 2a53570-2a5357a 2414->2417 2416->2411 2420 2a5357c 2417->2420 2421 2a5357e-2a5358d 2417->2421 2432 2a536c2-2a53748 2418->2432 2433 2a536bb-2a536c1 2418->2433 2419->2418 2422 2a535d4-2a535d6 2419->2422 2420->2421 2421->2421 2423 2a5358f 2421->2423 2424 2a535f9-2a535fc 2422->2424 2425 2a535d8-2a535e2 2422->2425 2423->2416 2424->2418 2427 2a535e4 2425->2427 2428 2a535e6-2a535f5 2425->2428 2427->2428 2428->2428 2429 2a535f7 2428->2429 2429->2424 2443 2a53758-2a5375c 2432->2443 2444 2a5374a-2a5374e 2432->2444 2433->2432 2446 2a5376c-2a53770 2443->2446 2447 2a5375e-2a53762 2443->2447 2444->2443 2445 2a53750 2444->2445 2445->2443 2449 2a53780-2a53784 2446->2449 2450 2a53772-2a53776 2446->2450 2447->2446 2448 2a53764 2447->2448 2448->2446 2452 2a53796-2a5379d 2449->2452 2453 2a53786-2a5378c 2449->2453 2450->2449 2451 2a53778 2450->2451 2451->2449 2454 2a537b4 2452->2454 2455 2a5379f-2a537ae 2452->2455 2453->2452 2457 2a537b5 2454->2457 2455->2454 2457->2457
                                            APIs
                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 02A536A6
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 2e2aeb4dd2ca3a949eec68230dc54d9b77a1e3814371d418ccc49d633c100f3f
                                            • Instruction ID: 45d914f628e9ebcee8db06ca8f90b1b03bf4987b1f66241325e6822d397bead1
                                            • Opcode Fuzzy Hash: 2e2aeb4dd2ca3a949eec68230dc54d9b77a1e3814371d418ccc49d633c100f3f
                                            • Instruction Fuzzy Hash: 32A15C71D00269DFEF14CF69C881BEEBBB2BF84354F1485AAE805A7240DB749985CF91
                                            Function 02A53470 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2458 2a53470-2a53505 2461 2a53507-2a53511 2458->2461 2462 2a5353e-2a5355e 2458->2462 2461->2462 2463 2a53513-2a53515 2461->2463 2469 2a53597-2a535c6 2462->2469 2470 2a53560-2a5356a 2462->2470 2464 2a53517-2a53521 2463->2464 2465 2a53538-2a5353b 2463->2465 2467 2a53525-2a53534 2464->2467 2468 2a53523 2464->2468 2465->2462 2467->2467 2471 2a53536 2467->2471 2468->2467 2476 2a535ff-2a536b9 CreateProcessA 2469->2476 2477 2a535c8-2a535d2 2469->2477 2470->2469 2472 2a5356c-2a5356e 2470->2472 2471->2465 2474 2a53591-2a53594 2472->2474 2475 2a53570-2a5357a 2472->2475 2474->2469 2478 2a5357c 2475->2478 2479 2a5357e-2a5358d 2475->2479 2490 2a536c2-2a53748 2476->2490 2491 2a536bb-2a536c1 2476->2491 2477->2476 2480 2a535d4-2a535d6 2477->2480 2478->2479 2479->2479 2481 2a5358f 2479->2481 2482 2a535f9-2a535fc 2480->2482 2483 2a535d8-2a535e2 2480->2483 2481->2474 2482->2476 2485 2a535e4 2483->2485 2486 2a535e6-2a535f5 2483->2486 2485->2486 2486->2486 2487 2a535f7 2486->2487 2487->2482 2501 2a53758-2a5375c 2490->2501 2502 2a5374a-2a5374e 2490->2502 2491->2490 2504 2a5376c-2a53770 2501->2504 2505 2a5375e-2a53762 2501->2505 2502->2501 2503 2a53750 2502->2503 2503->2501 2507 2a53780-2a53784 2504->2507 2508 2a53772-2a53776 2504->2508 2505->2504 2506 2a53764 2505->2506 2506->2504 2510 2a53796-2a5379d 2507->2510 2511 2a53786-2a5378c 2507->2511 2508->2507 2509 2a53778 2508->2509 2509->2507 2512 2a537b4 2510->2512 2513 2a5379f-2a537ae 2510->2513 2511->2510 2515 2a537b5 2512->2515 2513->2512 2515->2515
                                            APIs
                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 02A536A6
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 08b8d06d91fd898a7aa00b0ac8573e3e3228895e81c450a0008e8e4f24f935ca
                                            • Instruction ID: b550c62163b1ef55357facc476d2d0e26f9a917df584de61b0ffd5630a02cbe6
                                            • Opcode Fuzzy Hash: 08b8d06d91fd898a7aa00b0ac8573e3e3228895e81c450a0008e8e4f24f935ca
                                            • Instruction Fuzzy Hash: 58914C71D00269DFEF14CF69C881BEEBBB2BF44354F1485A9E809A7240DB749985CF91
                                            Function 00F2FCC8 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F2FC8F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: ac08c9002b6a2405983b226daf2da7b6e85c320249a5d636059c776d675d414d
                                            • Instruction ID: d7dc7002b8ef244d443c1884dabf5d5bdea964fcbcc8ffd224177e938d0b0c2f
                                            • Opcode Fuzzy Hash: ac08c9002b6a2405983b226daf2da7b6e85c320249a5d636059c776d675d414d
                                            • Instruction Fuzzy Hash: 3641AB74A903889FEB01DF71E844BA97BB9FB89351F108829E951DB3D5CB744902EF21
                                            Function 00F258EC Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00F259A9
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 948a3cdf4fca7b001d37b94e1883e19c78aefc719c0fa8bf8b4dfa6da85acab8
                                            • Instruction ID: 27b901e0ee4cc86b2867c5704ee6c9968b5a5ed0793e721fbc571df56362845a
                                            • Opcode Fuzzy Hash: 948a3cdf4fca7b001d37b94e1883e19c78aefc719c0fa8bf8b4dfa6da85acab8
                                            • Instruction Fuzzy Hash: FD41F4B1C00729CFEB25CFA9C885B8EBBB5BF49704F20805AD408AB251D7756945CF50
                                            Function 00F2FB90 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d496876c4faf3f8c4145beacffc6252a618fc1d8d040e38da0c6a40ed3a55ce
                                            • Instruction ID: efcbde33284e511fd14cb625079dfc14c7d544a4050c2754aa3ebc7e0888a5e6
                                            • Opcode Fuzzy Hash: 2d496876c4faf3f8c4145beacffc6252a618fc1d8d040e38da0c6a40ed3a55ce
                                            • Instruction Fuzzy Hash: A131B175A002199FCB05CF58D844EDEBBF5FF89310F2481A9E905AB362D6319845CFA1
                                            Function 00F244B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00F259A9
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 7e99bd4bbf091c86a341ddaf8bc6720226063406eabdb3cda47d44d37f28090f
                                            • Instruction ID: ab6d86664014c0fcd3ef9c6bf73ef17da60ea9e41de72f7240fefa3c2defab9d
                                            • Opcode Fuzzy Hash: 7e99bd4bbf091c86a341ddaf8bc6720226063406eabdb3cda47d44d37f28090f
                                            • Instruction Fuzzy Hash: 3141E271C0072DCFEB24DFA9C884B9EBBB5BF49704F60816AD408AB251DB756946CF90
                                            Function 02A531E0 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 02A53278
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 2ac40bfab17799347ccf8cc4a3a3308fc1f777a6422f0c388cd94b2788d34659
                                            • Instruction ID: 03244eaf471e2aa95cf3027f86b7d53de2c94c351f6f178e12fe04dec1670c4b
                                            • Opcode Fuzzy Hash: 2ac40bfab17799347ccf8cc4a3a3308fc1f777a6422f0c388cd94b2788d34659
                                            • Instruction Fuzzy Hash: A92106769003599FDB10CFA9C985BEEBBF5FF48310F10842AE958A7640CB789944CBA5
                                            Function 02A531E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 02A53278
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: d16b68232de165369c83654519bb2ac09d9229b62c6d4fb9a9e5343593674070
                                            • Instruction ID: 1ea16bb4499c0db71645ad7e611d21ea9ec53c47d9993709cc5cd537ee038900
                                            • Opcode Fuzzy Hash: d16b68232de165369c83654519bb2ac09d9229b62c6d4fb9a9e5343593674070
                                            • Instruction Fuzzy Hash: D02126759003599FDF10CFAAC984BEEBBF5FF48310F10842AE918A7240CB789944CBA5
                                            Function 02A532D1 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 02A53358
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 1e7deb6d050b2fab4303ea2af39201174723431953e1219f0f840317a1dc8ece
                                            • Instruction ID: 33ec7efd94705493f2162955fe0713027262c383a1f77229994e34a363d12ea7
                                            • Opcode Fuzzy Hash: 1e7deb6d050b2fab4303ea2af39201174723431953e1219f0f840317a1dc8ece
                                            • Instruction Fuzzy Hash: F4213971C003599FDB10CFAAC940BEEBBF5FF48320F10842AE918A7640CB389504DBA5
                                            Function 02A527D8 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02A5285E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 16cb6b884f4b4a7f8fe4801402c618ed1d44fb27649ac1c2f9b12062c2dd8693
                                            • Instruction ID: 3667f4bf53a4142ab727021cdf83762cfe168c0eb017b4eeb297b1229aabd9b6
                                            • Opcode Fuzzy Hash: 16cb6b884f4b4a7f8fe4801402c618ed1d44fb27649ac1c2f9b12062c2dd8693
                                            • Instruction Fuzzy Hash: 5E214571D003088FDB14CFAAC5857EEBBF4EF48224F14842AD959A7640CB78A945CBA5
                                            Function 00F2FC00 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F2FC8F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 28e19cf4558eb2030bf40479a3e8eeb56fe862116ca32ac2c3955cb41ac1a8c9
                                            • Instruction ID: b403abb66d8c57cdac5299efe5b85cdc0a0468db805131f15cd3f1a723a2d2fb
                                            • Opcode Fuzzy Hash: 28e19cf4558eb2030bf40479a3e8eeb56fe862116ca32ac2c3955cb41ac1a8c9
                                            • Instruction Fuzzy Hash: 362103B5D00248EFDB10CFAAD984ADEBBF5FB48310F14841AE958A7750C378AA44CF60
                                            Function 02A532D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 02A53358
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: d740ab1ef1ef4326b9b7f63a3315b54e421b80fc472ba7511e6e4fa3a675215b
                                            • Instruction ID: 1766102464e91f3eb2df0e37bdb8d4f8bf3feebd24706c7a800eb05ce2829de2
                                            • Opcode Fuzzy Hash: d740ab1ef1ef4326b9b7f63a3315b54e421b80fc472ba7511e6e4fa3a675215b
                                            • Instruction Fuzzy Hash: BC212871D003599FDB10CFAAC984BEEBBF5FF48310F10842AE918A7640CB399904DBA5
                                            Function 02A527E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02A5285E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: c32384cc4933467dc763ea10386d0af04edf1a507257da34eda496e6c154b36b
                                            • Instruction ID: b5e78b38fa60e5a5e1a32c16b96bfa91336995db0b1dab2fdf80872e5bba2288
                                            • Opcode Fuzzy Hash: c32384cc4933467dc763ea10386d0af04edf1a507257da34eda496e6c154b36b
                                            • Instruction Fuzzy Hash: B3213471D003088FDB14CFAAC584BEEBBF4EF48214F14842AD959A7640CB78A945CBA5
                                            Function 00F2FC08 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F2FC8F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 688c1d0fcf71789fb264ae0703c5f77c5d810e6d63e97c0bd5a02d670c72eaa9
                                            • Instruction ID: d592ce7beef0735eca6e4e6f0864fc128587c1d950906351793456f0dbfef310
                                            • Opcode Fuzzy Hash: 688c1d0fcf71789fb264ae0703c5f77c5d810e6d63e97c0bd5a02d670c72eaa9
                                            • Instruction Fuzzy Hash: D221E4B5D00248EFDB10CF9AD984ADEBBF4FB48310F14842AE954A7350D378AA44CF65
                                            Function 02A53120 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 02A53196
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: bb1cf797caaeabb344b0725ef5a0915cc18421fcbac4c9d1426a982844e0cc5b
                                            • Instruction ID: 27d700b1f2dbbeb709ef98c1c7a5d2d2aa53a4ca2cd182573ee724ec95b95082
                                            • Opcode Fuzzy Hash: bb1cf797caaeabb344b0725ef5a0915cc18421fcbac4c9d1426a982844e0cc5b
                                            • Instruction Fuzzy Hash: E71156769002089FDF20CFAAC845BEFBBF5FB88320F10841AE915A7A50CB359540CBA1
                                            Function 00F2D128 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00F2D9F9,00000800,00000000,00000000), ref: 00F2DC0A
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 763861cad2f9c723887f6006e6035dc506416879dce5fd9d5e4eaec6bfe03735
                                            • Instruction ID: ee08d9d2a7759658ed9d177de84bf793ac66aa8f7e1b41b2c0507ed5395b88ec
                                            • Opcode Fuzzy Hash: 763861cad2f9c723887f6006e6035dc506416879dce5fd9d5e4eaec6bfe03735
                                            • Instruction Fuzzy Hash: 991117B6D003189FDB20CF9AD544BDEFBF4EB88310F10841AE519A7600C375A945CFA5
                                            Function 02A52728 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 90ba0d06f217e51611b59473674567065ee4af9c47c65e8fd1383c19b9927230
                                            • Instruction ID: 7b848aecbf7d7da5765d4b6f04d8db096ab4b8d03dd6c91121bb524bd732b05b
                                            • Opcode Fuzzy Hash: 90ba0d06f217e51611b59473674567065ee4af9c47c65e8fd1383c19b9927230
                                            • Instruction Fuzzy Hash: 03113775900348CFDB24DFAAD4457EFFBF4EF48224F20841AD555A7A40CB39A940CB95
                                            Function 00F2DB9B Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00F2D9F9,00000800,00000000,00000000), ref: 00F2DC0A
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 3e2928e8fc5fe2a4dc43d8004a6ec0a274cbe33eb6e217752f7c44f8505de5dd
                                            • Instruction ID: 7ccc9336c44b990e77ec417c813c3d26d831e38fdefeb8a642c23a7964fc0517
                                            • Opcode Fuzzy Hash: 3e2928e8fc5fe2a4dc43d8004a6ec0a274cbe33eb6e217752f7c44f8505de5dd
                                            • Instruction Fuzzy Hash: 801103B6D002088FDB14CF9AD544ADEFBF4EB88310F14841AD419A7600C375A945CFA4
                                            Function 02A53128 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 02A53196
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: c34b05d07665c23e79e4e8d15ba77ab061af58995964c167d5d21534ecd3ab50
                                            • Instruction ID: 735021b6a1a1755c903e72238dd0d3fa4916109c6f07fa9f2526e51dd4a5ed7e
                                            • Opcode Fuzzy Hash: c34b05d07665c23e79e4e8d15ba77ab061af58995964c167d5d21534ecd3ab50
                                            • Instruction Fuzzy Hash: AB1144729002489FDF20DFAAC844BDFBBF5FB88310F148419E915A7650CB359904CBA0
                                            Function 02A52730 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: dc176c18a8a35355ae633e6b8ae4120ed8233d5631f0df3b5dab1fe3fbee50ad
                                            • Instruction ID: 86e97760ccae399315764a7a39783d869df366448ce0bdba6bb8dd9852248e9d
                                            • Opcode Fuzzy Hash: dc176c18a8a35355ae633e6b8ae4120ed8233d5631f0df3b5dab1fe3fbee50ad
                                            • Instruction Fuzzy Hash: B9112875D003488FDB24DFAAC5447DFFBF4EF48224F248419D519A7640CB79A944CB95
                                            Function 00F2D918 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00F2D97E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: d55f81a50032857457d120d5933be07f456f8627212517110d2f306c4f3405ce
                                            • Instruction ID: d70a79ebe29d87d2082b224ad9fc95940d055f54ae549df209631c463d0913c1
                                            • Opcode Fuzzy Hash: d55f81a50032857457d120d5933be07f456f8627212517110d2f306c4f3405ce
                                            • Instruction Fuzzy Hash: 75110FB6C002498FDB20CF9AD444ADEFBF4EB88324F10841AE458A7600C379A545CFA5
                                            Function 02A547F8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 02A57815
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 8e8808f8c84182e22c4283b9220dffc9148d2bc38f5c172326de74171d347cd9
                                            • Instruction ID: 08d8e084b74653715e3e0623acfb607abfee635ac5a21068d0b7aa79d07b1553
                                            • Opcode Fuzzy Hash: 8e8808f8c84182e22c4283b9220dffc9148d2bc38f5c172326de74171d347cd9
                                            • Instruction Fuzzy Hash: 1D11E3B5800258DFDB20DF9AD984BDFFBF8EB48314F108459E958A7610D375A944CFA1
                                            Function 02A577B1 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 02A57815
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 710841e903293e3d5d2b616b0a7d2bffff06a6537d79f6d5f967ba8ec22d9940
                                            • Instruction ID: a7e5be89c35e58861bc69417112ffa6cc54dd8f03dcf58278e599d9c627a5896
                                            • Opcode Fuzzy Hash: 710841e903293e3d5d2b616b0a7d2bffff06a6537d79f6d5f967ba8ec22d9940
                                            • Instruction Fuzzy Hash: 8311E3B58002499FDB20CF9AD985BDEFBF8EB48324F10845AE954A7610D375A984CFA1
                                            Function 00E2D528 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1338088003.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e2d000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1f67e9dcdd445103e9e4c6c8930cde1891ec1ee6f6a79ef27758335acfaea09b
                                            • Instruction ID: dc0478e665e55040c25941be4808106f40ac86bcb4a9ce1c19165e1ec9f8b8d9
                                            • Opcode Fuzzy Hash: 1f67e9dcdd445103e9e4c6c8930cde1891ec1ee6f6a79ef27758335acfaea09b
                                            • Instruction Fuzzy Hash: 6E214872548240DFDB15DF14EDC0B26BF65FB94318F20856DEA0A1F256C376D846CAA2
                                            Function 00E3D294 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1338268340.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e3d000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 29536fca373fc8937c3a2ee4122e8e0ee7f27f06f93113b72a364eb6e0df1c47
                                            • Instruction ID: e2700f5efa0ad2b2611b03ef263632e13b779a60cd094ecc5e42668da40f41e5
                                            • Opcode Fuzzy Hash: 29536fca373fc8937c3a2ee4122e8e0ee7f27f06f93113b72a364eb6e0df1c47
                                            • Instruction Fuzzy Hash: 2A21F571508204EFDB15DF24E9C8B26BFA5FB84318F24C56DE8095B292C33ADC46CA62
                                            Function 00E3D0DC Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1338268340.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e3d000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2716643b0db1b1511c224178eb1d512c15fc9bc8bc5903e19581fba6539cec31
                                            • Instruction ID: 60e250aabb29dda061c3125e6ff1ea15ee1d48f3ef8f1b3c7d2ed4bbcebe68a8
                                            • Opcode Fuzzy Hash: 2716643b0db1b1511c224178eb1d512c15fc9bc8bc5903e19581fba6539cec31
                                            • Instruction Fuzzy Hash: 5221D3B1508304EFDB14DF14E988B26BF65FB84318F20C56DE9095B296C336D846CA62
                                            Function 00E2D523 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1338088003.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e2d000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                            • Instruction ID: 688d621927336ae003a47e5c64798332487f4175933d70ffbed0723f3b81d0f1
                                            • Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                            • Instruction Fuzzy Hash: 1211D376508280DFCB16CF10E9C4B16BF71FB94318F24C5A9D9090B656C336D856CBA2
                                            Function 00E3D28F Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1338268340.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e3d000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                            • Instruction ID: 63f345318f409008b9452085355864717a113cf42739b31093ce0adc36116e74
                                            • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                            • Instruction Fuzzy Hash: C5119D75508280DFDB16CF10E9C4B15FFB1FB84318F24C6A9D8494B696C33AD84ACB62

                                            Non-executed Functions

                                            Function 00F271A0 Relevance: 1.5, Strings: 1, Instructions: 204COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \sq
                                            • API String ID: 0-1116441132
                                            • Opcode ID: f436ebf513e40a5d08d378c25d68880b99aaeb792a01509db65d24fbffa9c9e1
                                            • Instruction ID: aea2d0ede771468999cfb963989323e7645d06ecff89cf3b05dfcb2127d5d5f1
                                            • Opcode Fuzzy Hash: f436ebf513e40a5d08d378c25d68880b99aaeb792a01509db65d24fbffa9c9e1
                                            • Instruction Fuzzy Hash: A5710778D4021ADFDF14DFAAE484AADBBB1FF48310F10A659D406EB291DB31AA41CF50
                                            Function 02A58C18 Relevance: .4, Instructions: 366COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d94e7bece75328f8e4a1166925027fa51bc0f276d1141570b71f9e9f291c6a6
                                            • Instruction ID: 8089a51053be30385ebcae20cdde81899b57be88ad22469dfe74c42b130c0890
                                            • Opcode Fuzzy Hash: 2d94e7bece75328f8e4a1166925027fa51bc0f276d1141570b71f9e9f291c6a6
                                            • Instruction Fuzzy Hash: 1AD188317017208FDB29DB65D8507AFB6F7AF88704F14446EE9468B295CF38E845CB92
                                            Function 02A51F08 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 267751bba518a406aa9b8ae32f142aa2a4605cfcc9e8030733c5d46c228c87b9
                                            • Instruction ID: 5fbf24fec581c0f7a0c7554da13e2f798e99f372307aa9065bc77dd51a0a6b8a
                                            • Opcode Fuzzy Hash: 267751bba518a406aa9b8ae32f142aa2a4605cfcc9e8030733c5d46c228c87b9
                                            • Instruction Fuzzy Hash: CEE1DA74E002198FDB14DFA9C580AAEFBB2FF89305F248169D815AB356DB719D41CFA0
                                            Function 02A528B8 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a63a422855b9d9a689440d4ea91923d73ed814cf193fced4d908ae58c2037f18
                                            • Instruction ID: 868122324227866b4ccd81e9613308dfbe0da8908272e4130036da5388c16028
                                            • Opcode Fuzzy Hash: a63a422855b9d9a689440d4ea91923d73ed814cf193fced4d908ae58c2037f18
                                            • Instruction Fuzzy Hash: CEE1EB74E002198FDB14DFA9C580AAEFBB2FF89305F248169D915AB356DB319D41CFA0
                                            Function 02A52CF0 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 448c49d32f474ace8dbb0c018696439fca0f2a734bc1c0a1a3b486e285b08a06
                                            • Instruction ID: 141fe15cf0fa7481c7b0da33fee31a636feaad3edf9dd9f5f89bdfd69ec22731
                                            • Opcode Fuzzy Hash: 448c49d32f474ace8dbb0c018696439fca0f2a734bc1c0a1a3b486e285b08a06
                                            • Instruction Fuzzy Hash: 2EE1EA74E102198FDB14DFA9C580AAEFBB2FF89305F24816AD815AB356DB319D41CF60
                                            Function 02A50830 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 18b2221e517db0148dbe70ae30bdad8c180dd4fe856c3bbd552f59d15f9b5e25
                                            • Instruction ID: fd0c53857353a8077c0ed2f971a290ba66fc03274639b851392e8ce877e1637e
                                            • Opcode Fuzzy Hash: 18b2221e517db0148dbe70ae30bdad8c180dd4fe856c3bbd552f59d15f9b5e25
                                            • Instruction Fuzzy Hash: C7E1FB74E002198FDB14DFA9C580AAEFBB2FF89305F248169D815AB356DB31AD41CF60
                                            Function 02A50C68 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 850c54da4723eb7fb59b9c4f124d45ebd013324f0cb01231c2fdede6e29ee33c
                                            • Instruction ID: ec67fa8d8c64a15f758645b4aee8fb019b783408c0db923db544e9f8278978ea
                                            • Opcode Fuzzy Hash: 850c54da4723eb7fb59b9c4f124d45ebd013324f0cb01231c2fdede6e29ee33c
                                            • Instruction Fuzzy Hash: F4E1FD74E102198FDB14DFA9C580AAEFBB2FF89305F248159D815AB356DB31AD41CFA0
                                            Function 02A51EF7 Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1bea8e576e3f5a8207a112c356520b136259745eef53982f2ab51c6ac0d88426
                                            • Instruction ID: 1a96fbfd1205b0fd5670bf3052949ae3530635d5e240336717c8a065a4d8e7a8
                                            • Opcode Fuzzy Hash: 1bea8e576e3f5a8207a112c356520b136259745eef53982f2ab51c6ac0d88426
                                            • Instruction Fuzzy Hash: 98510E74E042198FDB14DFA9C5806AEFBF2BF89304F24816AD858A7356DB319D41CFA1
                                            Function 02A528A7 Relevance: .1, Instructions: 134COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 31bcf5cf20d160271ac5625792aca7813f74a01af85ea8a642f0603d773098df
                                            • Instruction ID: f3a099f20871b2bea1ce6e611cf04a281dc5c3673795b5dd5a08db411763190c
                                            • Opcode Fuzzy Hash: 31bcf5cf20d160271ac5625792aca7813f74a01af85ea8a642f0603d773098df
                                            • Instruction Fuzzy Hash: BF510E74E042198FDB14DFA9C5806AFFBF2BF89304F24816AD818A7356DB319941CFA1
                                            Function 02A52CE1 Relevance: .1, Instructions: 134COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1342597580.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_2a50000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 076d5620f447d857a9a3d3f970e32dca9d9c32fa0e39e3897e0089d73162cd8f
                                            • Instruction ID: 5d843951b4dcca9bb33984c3ecb50e57462db8eb2a3e32c87720a0ad70496a66
                                            • Opcode Fuzzy Hash: 076d5620f447d857a9a3d3f970e32dca9d9c32fa0e39e3897e0089d73162cd8f
                                            • Instruction Fuzzy Hash: E9510D75E002198FDB14DFA9C5806AEFBF2BF89305F24816AD818A7356DB319D41CFA1
                                            Function 00F27989 Relevance: .1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1339365444.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f20000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4753feaf8d9d5300fccd81252c24e6e4fb228acc0bdc6ce006651e3652b2a1cf
                                            • Instruction ID: d4240e385e380e327d12137caf45e56d50757cd53513827a996c954d9f824e55
                                            • Opcode Fuzzy Hash: 4753feaf8d9d5300fccd81252c24e6e4fb228acc0bdc6ce006651e3652b2a1cf
                                            • Instruction Fuzzy Hash: 50413679E5121E9FCF14CFA9E885AAEB7F2BF48310B14E215D006EB255DB39A905CB40

                                            Execution Graph

                                            Execution Coverage:12.6%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:17
                                            Total number of Limit Nodes:4
                                            execution_graph 23535 1590848 23536 159084e 23535->23536 23537 159091b 23536->23537 23539 159137f 23536->23539 23540 1591383 23539->23540 23541 1591480 23540->23541 23543 1597ea8 23540->23543 23541->23536 23544 1597eb2 23543->23544 23545 1597ecc 23544->23545 23548 6e4fa28 23544->23548 23552 6e4fa38 23544->23552 23545->23540 23550 6e4fa38 23548->23550 23549 6e4fc62 23549->23545 23550->23549 23551 6e4fc78 GlobalMemoryStatusEx GlobalMemoryStatusEx 23550->23551 23551->23550 23554 6e4fa4d 23552->23554 23553 6e4fc62 23553->23545 23554->23553 23555 6e4fc78 GlobalMemoryStatusEx GlobalMemoryStatusEx 23554->23555 23555->23554

                                            Executed Functions

                                            Function 06E43038 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 6e43038-6e43059 1 6e4305b-6e4305e 0->1 2 6e43064-6e43083 1->2 3 6e437ff-6e43802 1->3 13 6e43085-6e43088 2->13 14 6e4309c-6e430a6 2->14 4 6e43804-6e43823 3->4 5 6e43828-6e4382a 3->5 4->5 6 6e43831-6e43834 5->6 7 6e4382c 5->7 6->1 9 6e4383a-6e43843 6->9 7->6 13->14 15 6e4308a-6e4309a 13->15 18 6e430ac-6e430bb 14->18 15->18 126 6e430bd call 6e43850 18->126 127 6e430bd call 6e43858 18->127 19 6e430c2-6e430c7 20 6e430d4-6e433b1 19->20 21 6e430c9-6e430cf 19->21 42 6e433b7-6e43466 20->42 43 6e437f1-6e437fe 20->43 21->9 52 6e4348f 42->52 53 6e43468-6e4348d 42->53 55 6e43498-6e434ab 52->55 53->55 57 6e434b1-6e434d3 55->57 58 6e437d8-6e437e4 55->58 57->58 61 6e434d9-6e434e3 57->61 58->42 59 6e437ea 58->59 59->43 61->58 62 6e434e9-6e434f4 61->62 62->58 63 6e434fa-6e435d0 62->63 75 6e435d2-6e435d4 63->75 76 6e435de-6e4360e 63->76 75->76 80 6e43610-6e43612 76->80 81 6e4361c-6e43628 76->81 80->81 82 6e43688-6e4368c 81->82 83 6e4362a-6e4362e 81->83 84 6e43692-6e436ce 82->84 85 6e437c9-6e437d2 82->85 83->82 86 6e43630-6e4365a 83->86 97 6e436d0-6e436d2 84->97 98 6e436dc-6e436ea 84->98 85->58 85->63 93 6e4365c-6e4365e 86->93 94 6e43668-6e43685 86->94 93->94 94->82 97->98 100 6e43701-6e4370c 98->100 101 6e436ec-6e436f7 98->101 105 6e43724-6e43735 100->105 106 6e4370e-6e43714 100->106 101->100 104 6e436f9 101->104 104->100 110 6e43737-6e4373d 105->110 111 6e4374d-6e43759 105->111 107 6e43716 106->107 108 6e43718-6e4371a 106->108 107->105 108->105 112 6e43741-6e43743 110->112 113 6e4373f 110->113 115 6e43771-6e437c2 111->115 116 6e4375b-6e43761 111->116 112->111 113->111 115->85 117 6e43765-6e43767 116->117 118 6e43763 116->118 117->115 118->115 126->19 127->19
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q$$q$$q
                                            • API String ID: 0-2069967915
                                            • Opcode ID: d2db46c55d96b47cfed1f96e8c7808b3eaa191217563b3ae50c14d5be8265b5d
                                            • Instruction ID: 514ecfbf81f644c0c9b50125ce7b09254367f295ea8f985cdb31296e1a1190af
                                            • Opcode Fuzzy Hash: d2db46c55d96b47cfed1f96e8c7808b3eaa191217563b3ae50c14d5be8265b5d
                                            • Instruction Fuzzy Hash: C6322D30E10719CBDB14EF79D85469DF7B2FF99300F2096AAD449AB254EB30AD85CB80
                                            Function 06E47D78 Relevance: 3.0, Strings: 2, Instructions: 475COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 787 6e47d78-6e47d96 788 6e47d98-6e47d9b 787->788 789 6e47d9d-6e47da7 788->789 790 6e47da8-6e47dab 788->790 791 6e47dc2-6e47dc5 790->791 792 6e47dad-6e47dbb 790->792 793 6e47dc7-6e47de3 791->793 794 6e47de8-6e47deb 791->794 800 6e47dbd 792->800 801 6e47e1e-6e47e34 792->801 793->794 796 6e47e0c-6e47e0e 794->796 797 6e47ded-6e47e07 794->797 798 6e47e15-6e47e18 796->798 799 6e47e10 796->799 797->796 798->788 798->801 799->798 800->791 807 6e4804f-6e48059 801->807 808 6e47e3a-6e47e43 801->808 809 6e47e49-6e47e66 808->809 810 6e4805a-6e4808f 808->810 816 6e4803c-6e48049 809->816 817 6e47e6c-6e47e94 809->817 815 6e48091-6e48094 810->815 818 6e48096-6e480b2 815->818 819 6e480b7-6e480ba 815->819 816->807 816->808 817->816 831 6e47e9a-6e47ea3 817->831 818->819 820 6e480c0-6e480cf 819->820 821 6e482ef-6e482f2 819->821 834 6e480d1-6e480ec 820->834 835 6e480ee-6e48132 820->835 824 6e4839d-6e4839f 821->824 825 6e482f8-6e48304 821->825 828 6e483a6-6e483a9 824->828 829 6e483a1 824->829 833 6e4830f-6e48311 825->833 828->815 830 6e483af-6e483b8 828->830 829->828 831->810 836 6e47ea9-6e47ec5 831->836 837 6e48313-6e48319 833->837 838 6e48329-6e4832d 833->838 834->835 846 6e482c3-6e482d9 835->846 847 6e48138-6e48149 835->847 850 6e4802a-6e48036 836->850 851 6e47ecb-6e47ef5 836->851 840 6e4831d-6e4831f 837->840 841 6e4831b 837->841 842 6e4832f-6e48339 838->842 843 6e4833b 838->843 840->838 841->838 845 6e48340-6e48342 842->845 843->845 852 6e48344-6e48347 845->852 853 6e48353-6e4838c 845->853 846->821 856 6e482ae-6e482bd 847->856 857 6e4814f-6e4816c 847->857 850->816 850->831 869 6e48020-6e48025 851->869 870 6e47efb-6e47f23 851->870 852->830 853->820 874 6e48392-6e4839c 853->874 856->846 856->847 857->856 868 6e48172-6e48268 call 6e46590 857->868 921 6e48276 868->921 922 6e4826a-6e48274 868->922 869->850 870->869 878 6e47f29-6e47f57 870->878 878->869 884 6e47f5d-6e47f66 878->884 884->869 885 6e47f6c-6e47f9e 884->885 893 6e47fa0-6e47fa4 885->893 894 6e47fa9-6e47fc5 885->894 893->869 895 6e47fa6 893->895 894->850 896 6e47fc7-6e4801e call 6e46590 894->896 895->894 896->850 923 6e4827b-6e4827d 921->923 922->923 923->856 924 6e4827f-6e48284 923->924 925 6e48286-6e48290 924->925 926 6e48292 924->926 927 6e48297-6e48299 925->927 926->927 927->856 928 6e4829b-6e482a7 927->928 928->856
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q
                                            • API String ID: 0-3126353813
                                            • Opcode ID: 41e3421815b240f80ee7fed8e69bea5a129cb37d09b745ac05c43fdb5e9b5852
                                            • Instruction ID: 33a91e43cbef6939994bb115dfcc423fdb3a163ef2b2c198423b65ac52c2fba0
                                            • Opcode Fuzzy Hash: 41e3421815b240f80ee7fed8e69bea5a129cb37d09b745ac05c43fdb5e9b5852
                                            • Instruction Fuzzy Hash: 85028C30B003058FDB58EB79E454BAEB7A2FF88314F149929D9059B354EB35EC82CB90
                                            Function 06E45580 Relevance: 1.9, Strings: 1, Instructions: 605COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $
                                            • API String ID: 0-3993045852
                                            • Opcode ID: f382595259513ab33fd841c151a0828a4d275bca45e1445a1a019d8cb69742bd
                                            • Instruction ID: 3eb11d9e725e6878dd0fcb121eb53018828068e72b44340ebf8a554f8796e15b
                                            • Opcode Fuzzy Hash: f382595259513ab33fd841c151a0828a4d275bca45e1445a1a019d8cb69742bd
                                            • Instruction Fuzzy Hash: E622A135E003148FDF64EB75E4907AEBBB2EF89324F24856AD815AB354DA35DC41CB90
                                            Function 06E42340 Relevance: 1.0, Instructions: 998COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 04da6e8f9627ddc491ae305dd91f570871ea9188bc5f77a156490023df5935dc
                                            • Instruction ID: b3598f7073b6a345ea74e50c28733e97ee1dbd42cd398b17d9bf0f2e62266966
                                            • Opcode Fuzzy Hash: 04da6e8f9627ddc491ae305dd91f570871ea9188bc5f77a156490023df5935dc
                                            • Instruction Fuzzy Hash: B2926630E003048FDB64EF68D584A5DBBF2EF89318F5494A9E509AB365DB35ED81CB80
                                            Function 06E465E0 Relevance: .8, Instructions: 818COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 762036a8f27c763dd328083a9b5c74d15f7c4dbc32c76ca9ad7da2a8812bd725
                                            • Instruction ID: 084e3c4970d37ac7de4aeac1c9c8ee6ed0f61ef94296ae3354ef25eaad3c5780
                                            • Opcode Fuzzy Hash: 762036a8f27c763dd328083a9b5c74d15f7c4dbc32c76ca9ad7da2a8812bd725
                                            • Instruction Fuzzy Hash: 61626C34A003048FDB64EF79E594AADB7F2EF89314F249469E5069B394DB35EC85CB80
                                            Function 06E4C178 Relevance: .6, Instructions: 642COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0e60fbd17133a18fc508a76e85619976e9f7f4dc1bf8dd0addb68ee6492bbfec
                                            • Instruction ID: 5bdc848073fa8fa5dafa0a6ebde0d5161ac7a7d4275d1ea2fa6680693a3d4c19
                                            • Opcode Fuzzy Hash: 0e60fbd17133a18fc508a76e85619976e9f7f4dc1bf8dd0addb68ee6492bbfec
                                            • Instruction Fuzzy Hash: 72329F34A012048FDB54EF79E884BADB7B2FB88714F209525E405DB395DB35EC86CB91
                                            Function 06E4B21F Relevance: .6, Instructions: 575COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa09540ec96cf7cdaeeea3c45b4a0820752ade6e6645b1f41802dfe069e10c93
                                            • Instruction ID: 9e9c6646bec917d1bf81f457dd5d6afc49f3d15596641c9effdf75ea320b792c
                                            • Opcode Fuzzy Hash: aa09540ec96cf7cdaeeea3c45b4a0820752ade6e6645b1f41802dfe069e10c93
                                            • Instruction Fuzzy Hash: 89226130E103098BEF64EF69E4847AEB7B6FB49314F249826E405DB395DA39DC81CB51
                                            Function 06E4B638 Relevance: 8.0, Strings: 6, Instructions: 473COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 128 6e4b638-6e4b65a 129 6e4b65c-6e4b65f 128->129 130 6e4b665-6e4b668 129->130 131 6e4b811-6e4b814 129->131 133 6e4b678-6e4b67b 130->133 134 6e4b66a-6e4b673 130->134 132 6e4b819-6e4b81c 131->132 135 6e4b857-6e4b85a 132->135 136 6e4b81e-6e4b833 132->136 133->131 137 6e4b681-6e4b684 133->137 134->133 140 6e4b85c-6e4b865 135->140 141 6e4b86a-6e4b86d 135->141 148 6e4b9df-6e4ba16 136->148 153 6e4b839-6e4b852 136->153 138 6e4b686-6e4b68b 137->138 139 6e4b68e-6e4b691 137->139 138->139 142 6e4b693-6e4b69a 139->142 143 6e4b6ab-6e4b6ae 139->143 140->141 144 6e4b877-6e4b87a 141->144 145 6e4b86f-6e4b872 141->145 147 6e4b6a0-6e4b6a6 142->147 142->148 149 6e4b6b0-6e4b6b6 143->149 150 6e4b6bb-6e4b6be 143->150 151 6e4b8a4-6e4b8a7 144->151 152 6e4b87c-6e4b883 144->152 145->144 147->143 170 6e4ba18-6e4ba1b 148->170 149->150 155 6e4b6c0-6e4b6c7 150->155 156 6e4b6e8-6e4b6eb 150->156 157 6e4b8b7-6e4b8ba 151->157 158 6e4b8a9-6e4b8b2 151->158 152->148 154 6e4b889-6e4b899 152->154 153->135 179 6e4b95e-6e4b965 154->179 180 6e4b89f 154->180 155->148 160 6e4b6cd-6e4b6dd 155->160 161 6e4b705-6e4b708 156->161 162 6e4b6ed-6e4b6f4 156->162 163 6e4b8d4-6e4b8d7 157->163 164 6e4b8bc-6e4b8c3 157->164 158->157 160->152 189 6e4b6e3 160->189 166 6e4b70a-6e4b726 161->166 167 6e4b72b-6e4b72e 161->167 162->148 172 6e4b6fa-6e4b700 162->172 168 6e4b8d9-6e4b8dc 163->168 169 6e4b94b-6e4b94e 163->169 164->148 173 6e4b8c9-6e4b8cf 164->173 166->167 175 6e4b750-6e4b753 167->175 176 6e4b730-6e4b74b 167->176 168->131 174 6e4b8e2-6e4b8e5 168->174 182 6e4b954 169->182 183 6e4b786-6e4b789 169->183 177 6e4ba1d-6e4ba39 170->177 178 6e4ba3e-6e4ba41 170->178 172->161 173->163 186 6e4b924-6e4b927 174->186 187 6e4b8e7-6e4b8fc 174->187 190 6e4b755-6e4b756 175->190 191 6e4b75b-6e4b75e 175->191 176->175 177->178 192 6e4ba47-6e4ba6f 178->192 193 6e4bcad-6e4bcaf 178->193 179->148 184 6e4b967-6e4b977 179->184 180->151 194 6e4b959-6e4b95c 182->194 183->148 188 6e4b78f-6e4b796 183->188 184->131 225 6e4b97d 184->225 196 6e4b987-6e4b990 186->196 197 6e4b929-6e4b92c 186->197 187->148 218 6e4b902-6e4b91f 187->218 202 6e4b79b-6e4b79e 188->202 189->156 190->191 199 6e4b760-6e4b769 191->199 200 6e4b76e-6e4b771 191->200 241 6e4ba71-6e4ba74 192->241 242 6e4ba79-6e4babd 192->242 203 6e4bcb6-6e4bcb9 193->203 204 6e4bcb1 193->204 194->179 201 6e4b982-6e4b985 194->201 208 6e4b92e-6e4b937 196->208 216 6e4b992 196->216 207 6e4b946-6e4b949 197->207 197->208 199->200 209 6e4b781-6e4b784 200->209 210 6e4b773-6e4b77a 200->210 201->196 213 6e4b997-6e4b99a 201->213 214 6e4b7a0-6e4b7fd call 6e46590 202->214 215 6e4b802-6e4b805 202->215 203->170 217 6e4bcbf-6e4bcc8 203->217 204->203 207->169 207->194 208->148 222 6e4b93d-6e4b941 208->222 209->183 209->202 210->199 224 6e4b77c 210->224 226 6e4b9ac-6e4b9af 213->226 227 6e4b99c 213->227 214->215 219 6e4b807-6e4b809 215->219 220 6e4b80c-6e4b80f 215->220 216->213 218->186 219->220 220->131 220->132 222->207 224->209 225->201 230 6e4b9b1-6e4b9bd 226->230 231 6e4b9c2-6e4b9c4 226->231 236 6e4b9a4-6e4b9a7 227->236 230->231 232 6e4b9c6 231->232 233 6e4b9cb-6e4b9ce 231->233 232->233 233->129 237 6e4b9d4-6e4b9de 233->237 236->226 241->217 250 6e4bca2-6e4bcac 242->250 251 6e4bac3-6e4bacc 242->251 252 6e4bad2-6e4bb3e call 6e46590 251->252 253 6e4bc98-6e4bc9d 251->253 262 6e4bb44-6e4bb49 252->262 263 6e4bc38-6e4bc4d 252->263 253->250 264 6e4bb65 262->264 265 6e4bb4b-6e4bb51 262->265 263->253 269 6e4bb67-6e4bb6d 264->269 267 6e4bb57-6e4bb59 265->267 268 6e4bb53-6e4bb55 265->268 270 6e4bb63 267->270 268->270 271 6e4bb82-6e4bb8f 269->271 272 6e4bb6f-6e4bb75 269->272 270->269 279 6e4bba7-6e4bbb4 271->279 280 6e4bb91-6e4bb97 271->280 273 6e4bc23-6e4bc32 272->273 274 6e4bb7b 272->274 273->262 273->263 274->271 275 6e4bbb6-6e4bbc3 274->275 276 6e4bbea-6e4bbf7 274->276 285 6e4bbc5-6e4bbcb 275->285 286 6e4bbdb-6e4bbe8 275->286 287 6e4bc0f-6e4bc1c 276->287 288 6e4bbf9-6e4bbff 276->288 279->273 282 6e4bb99 280->282 283 6e4bb9b-6e4bb9d 280->283 282->279 283->279 290 6e4bbcd 285->290 291 6e4bbcf-6e4bbd1 285->291 286->273 287->273 292 6e4bc01 288->292 293 6e4bc03-6e4bc05 288->293 290->286 291->286 292->287 293->287
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q$$q$$q
                                            • API String ID: 0-2069967915
                                            • Opcode ID: 5c6a7cd139b0c9058abcfa5cc91bca51aa47aec33a8076857bdd1c02aaa9302f
                                            • Instruction ID: c6f667c661c7c37c9e1c953637e4451f02caf0cde8638f34b630b4213014e615
                                            • Opcode Fuzzy Hash: 5c6a7cd139b0c9058abcfa5cc91bca51aa47aec33a8076857bdd1c02aaa9302f
                                            • Instruction Fuzzy Hash: 01026930E103098FDBA4EF69E4847ADB7B2FB89314F24996AE405DB255DB35DC81CB81
                                            Function 06E49148 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 296 6e49148-6e4916d 297 6e4916f-6e49172 296->297 298 6e49174-6e49193 297->298 299 6e49198-6e4919b 297->299 298->299 300 6e491a1-6e491b6 299->300 301 6e49a5b-6e49a5d 299->301 308 6e491ce-6e491e4 300->308 309 6e491b8-6e491be 300->309 303 6e49a64-6e49a67 301->303 304 6e49a5f 301->304 303->297 306 6e49a6d-6e49a77 303->306 304->303 313 6e491ef-6e491f1 308->313 310 6e491c0 309->310 311 6e491c2-6e491c4 309->311 310->308 311->308 314 6e491f3-6e491f9 313->314 315 6e49209-6e4927a 313->315 316 6e491fd-6e491ff 314->316 317 6e491fb 314->317 326 6e492a6-6e492c2 315->326 327 6e4927c-6e4929f 315->327 316->315 317->315 332 6e492c4-6e492e7 326->332 333 6e492ee-6e49309 326->333 327->326 332->333 338 6e49334-6e4934f 333->338 339 6e4930b-6e4932d 333->339 344 6e49351-6e49373 338->344 345 6e4937a-6e49384 338->345 339->338 344->345 346 6e49394-6e4940e 345->346 347 6e49386-6e4938f 345->347 353 6e49410-6e4942e 346->353 354 6e4945b-6e49470 346->354 347->306 358 6e49430-6e4943f 353->358 359 6e4944a-6e49459 353->359 354->301 358->359 359->353 359->354
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q
                                            • API String ID: 0-4102054182
                                            • Opcode ID: f2d1e439329666a13d96b266d50d418f2f53f1f4fd8e1b1e4172be5078045ed2
                                            • Instruction ID: 5a96ee965f32db07e3857a9b7c724c375708dad774ccc3b758e0de370edaae35
                                            • Opcode Fuzzy Hash: f2d1e439329666a13d96b266d50d418f2f53f1f4fd8e1b1e4172be5078045ed2
                                            • Instruction Fuzzy Hash: 50916C30B003198BDB94DF79D9507AEB7B2FF89340F108569D909AB349EE34DD868B91
                                            Function 06E4CF40 Relevance: 4.6, Strings: 3, Instructions: 800COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 362 6e4cf40-6e4cf5b 363 6e4cf5d-6e4cf60 362->363 364 6e4cf62-6e4cf71 363->364 365 6e4cfa9-6e4cfac 363->365 368 6e4cf80-6e4cf8c 364->368 369 6e4cf73-6e4cf78 364->369 366 6e4cfb2-6e4cfb5 365->366 367 6e4d42c-6e4d438 365->367 372 6e4cfb7-6e4cff9 366->372 373 6e4cffe-6e4d001 366->373 374 6e4d28e-6e4d29d 367->374 375 6e4d43e-6e4d72b 367->375 370 6e4cf92-6e4cfa4 368->370 371 6e4d95d-6e4d996 368->371 369->368 370->365 388 6e4d998-6e4d99b 371->388 372->373 376 6e4d024-6e4d027 373->376 377 6e4d003-6e4d01f 373->377 378 6e4d2ac-6e4d2b8 374->378 379 6e4d29f-6e4d2a4 374->379 575 6e4d731-6e4d737 375->575 576 6e4d952-6e4d95c 375->576 381 6e4d031-6e4d034 376->381 382 6e4d029-6e4d02e 376->382 377->376 378->371 386 6e4d2be-6e4d2d0 378->386 379->378 389 6e4d036-6e4d078 381->389 390 6e4d07d-6e4d080 381->390 382->381 398 6e4d2d5-6e4d2d7 386->398 393 6e4d99d-6e4d9b9 388->393 394 6e4d9be-6e4d9c1 388->394 389->390 391 6e4d082-6e4d084 390->391 392 6e4d08f-6e4d092 390->392 400 6e4d429 391->400 401 6e4d08a 391->401 402 6e4d094-6e4d0d6 392->402 403 6e4d0db-6e4d0de 392->403 393->394 405 6e4d9f4-6e4d9f7 394->405 406 6e4d9c3-6e4d9ef 394->406 407 6e4d2de-6e4d2e1 398->407 408 6e4d2d9 398->408 400->367 401->392 402->403 411 6e4d127-6e4d12a 403->411 412 6e4d0e0-6e4d122 403->412 409 6e4da06-6e4da08 405->409 410 6e4d9f9 call 6e4dab5 405->410 406->405 407->363 418 6e4d2e7-6e4d2f0 407->418 408->407 419 6e4da0f-6e4da12 409->419 420 6e4da0a 409->420 424 6e4d9ff-6e4da01 410->424 416 6e4d147-6e4d14a 411->416 417 6e4d12c-6e4d142 411->417 412->411 427 6e4d193-6e4d196 416->427 428 6e4d14c-6e4d18e 416->428 417->416 425 6e4d2f2-6e4d2f7 418->425 426 6e4d2ff-6e4d30b 418->426 419->388 430 6e4da14-6e4da23 419->430 420->419 424->409 425->426 437 6e4d311-6e4d325 426->437 438 6e4d41c-6e4d421 426->438 433 6e4d1df-6e4d1e2 427->433 434 6e4d198-6e4d1da 427->434 428->427 455 6e4da25-6e4da88 call 6e46590 430->455 456 6e4da8a-6e4da9f 430->456 441 6e4d1e4-6e4d1e6 433->441 442 6e4d1f1-6e4d1f4 433->442 434->433 437->400 461 6e4d32b-6e4d33d 437->461 438->400 441->418 449 6e4d1ec 441->449 450 6e4d1f6-6e4d238 442->450 451 6e4d23d-6e4d240 442->451 449->442 450->451 463 6e4d242-6e4d284 451->463 464 6e4d289-6e4d28c 451->464 455->456 471 6e4daa0 456->471 480 6e4d361-6e4d363 461->480 481 6e4d33f-6e4d345 461->481 463->464 464->374 464->398 471->471 490 6e4d36d-6e4d379 480->490 486 6e4d347 481->486 487 6e4d349-6e4d355 481->487 493 6e4d357-6e4d35f 486->493 487->493 504 6e4d387 490->504 505 6e4d37b-6e4d385 490->505 493->490 508 6e4d38c-6e4d38e 504->508 505->508 508->400 511 6e4d394-6e4d3b0 call 6e46590 508->511 521 6e4d3b2-6e4d3b7 511->521 522 6e4d3bf-6e4d3cb 511->522 521->522 522->438 524 6e4d3cd-6e4d41a 522->524 524->400 577 6e4d746-6e4d74f 575->577 578 6e4d739-6e4d73e 575->578 577->371 579 6e4d755-6e4d768 577->579 578->577 581 6e4d942-6e4d94c 579->581 582 6e4d76e-6e4d774 579->582 581->575 581->576 583 6e4d776-6e4d77b 582->583 584 6e4d783-6e4d78c 582->584 583->584 584->371 585 6e4d792-6e4d7b3 584->585 588 6e4d7b5-6e4d7ba 585->588 589 6e4d7c2-6e4d7cb 585->589 588->589 589->371 590 6e4d7d1-6e4d7ee 589->590 590->581 593 6e4d7f4-6e4d7fa 590->593 593->371 594 6e4d800-6e4d819 593->594 596 6e4d935-6e4d93c 594->596 597 6e4d81f-6e4d846 594->597 596->581 596->593 597->371 600 6e4d84c-6e4d856 597->600 600->371 601 6e4d85c-6e4d873 600->601 603 6e4d875-6e4d880 601->603 604 6e4d882-6e4d89d 601->604 603->604 604->596 609 6e4d8a3-6e4d8bc call 6e46590 604->609 613 6e4d8be-6e4d8c3 609->613 614 6e4d8cb-6e4d8d4 609->614 613->614 614->371 615 6e4d8da-6e4d92e 614->615 615->596
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q
                                            • API String ID: 0-3067366958
                                            • Opcode ID: 65490b597917f43dd76b853ac941a469f043ea664c624b127a56beb629585da8
                                            • Instruction ID: 08dc32b40fe5588fd1dca61ab04aaaea72c0957c5932e9ff3300ab124be4a740
                                            • Opcode Fuzzy Hash: 65490b597917f43dd76b853ac941a469f043ea664c624b127a56beb629585da8
                                            • Instruction Fuzzy Hash: D4626034A003058FDB55EF79E990A9DB7B2FF88304B248A69D0059F359DB75EC86CB81
                                            Function 0159EB40 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 155COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 755 159eb40-159eb48 756 159eb4a-159eb5b 755->756 757 159eb07-159eb20 call 159eb40 755->757 758 159eb5d-159eb84 756->758 759 159eb85-159eb9b 756->759 760 159eb26-159eb2a 757->760 785 159eb9d call 159ec28 759->785 786 159eb9d call 159eb40 759->786 763 159eb2c-159eb31 760->763 764 159eb33-159eb36 760->764 765 159eb39-159eb3b 763->765 764->765 766 159eba2-159eba4 767 159ebaa-159ec09 766->767 768 159eba6-159eba9 766->768 775 159ec0b-159ec0e 767->775 776 159ec0f-159ec9c GlobalMemoryStatusEx 767->776 780 159ec9e-159eca4 776->780 781 159eca5-159eccd 776->781 780->781 785->766 786->766
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2525930435.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_1590000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: V
                                            • API String ID: 0-1342839628
                                            • Opcode ID: a1f1d2399e0416073a3146593e7b56ab425e847cc38d47e96b3bbb8de63318fd
                                            • Instruction ID: faadfc3fb5d0873c5cd82863fc0831ca11cdee6d2859a8146185e6e690fba639
                                            • Opcode Fuzzy Hash: a1f1d2399e0416073a3146593e7b56ab425e847cc38d47e96b3bbb8de63318fd
                                            • Instruction Fuzzy Hash: E4512172E043998FDB14DFA9D8043DEBBF2FF89210F15856BD449AB241DB389845CBA1
                                            Function 06E49137 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 930 6e49137-6e4916d 934 6e4916f-6e49172 930->934 935 6e49174-6e49193 934->935 936 6e49198-6e4919b 934->936 935->936 937 6e491a1-6e491b6 936->937 938 6e49a5b-6e49a5d 936->938 945 6e491ce-6e491e4 937->945 946 6e491b8-6e491be 937->946 940 6e49a64-6e49a67 938->940 941 6e49a5f 938->941 940->934 943 6e49a6d-6e49a77 940->943 941->940 950 6e491ef-6e491f1 945->950 947 6e491c0 946->947 948 6e491c2-6e491c4 946->948 947->945 948->945 951 6e491f3-6e491f9 950->951 952 6e49209-6e4927a 950->952 953 6e491fd-6e491ff 951->953 954 6e491fb 951->954 963 6e492a6-6e492c2 952->963 964 6e4927c-6e4929f 952->964 953->952 954->952 969 6e492c4-6e492e7 963->969 970 6e492ee-6e49309 963->970 964->963 969->970 975 6e49334-6e4934f 970->975 976 6e4930b-6e4932d 970->976 981 6e49351-6e49373 975->981 982 6e4937a-6e49384 975->982 976->975 981->982 983 6e49394-6e4940e 982->983 984 6e49386-6e4938f 982->984 990 6e49410-6e4942e 983->990 991 6e4945b-6e49470 983->991 984->943 995 6e49430-6e4943f 990->995 996 6e4944a-6e49459 990->996 991->938 995->996 996->990 996->991
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q
                                            • API String ID: 0-3126353813
                                            • Opcode ID: 00a100e97f2347455c1221a67f9cb3f7be222c8bb7aa08fcd5eeb3fd78018a9e
                                            • Instruction ID: 4dbfcea7e09124e6bf7ccd1dbeadb78063923cb5a42499341eb45047a2373c9d
                                            • Opcode Fuzzy Hash: 00a100e97f2347455c1221a67f9cb3f7be222c8bb7aa08fcd5eeb3fd78018a9e
                                            • Instruction Fuzzy Hash: 80518F30B003049FDB94DF79E990B6EB7E2EF89340F109469D909AB349EE34DD428B91
                                            Function 0159EC28 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1281 159ec28-159ec9c GlobalMemoryStatusEx 1283 159ec9e-159eca4 1281->1283 1284 159eca5-159eccd 1281->1284 1283->1284
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE ref: 0159EC8F
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2525930435.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_1590000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: 1b4bb35dd78f5a710075584379bce26a2f65a860bee41d9273fd133bd89e4ce6
                                            • Instruction ID: 082609d85c478e6be853cd3bc47f649712b4cefa3d2913a460236106efa26d3a
                                            • Opcode Fuzzy Hash: 1b4bb35dd78f5a710075584379bce26a2f65a860bee41d9273fd133bd89e4ce6
                                            • Instruction Fuzzy Hash: 87111FB2C006599FDB10CF9AC445BDEFBF4FB48320F11812AE858A7240D378A940CFA5
                                            Function 06E4DAB5 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1450 6e4dab5-6e4dadf 1451 6e4dae1-6e4dae4 1450->1451 1452 6e4dae6-6e4db12 1451->1452 1453 6e4db17-6e4db1a 1451->1453 1452->1453 1454 6e4db1c-6e4db38 1453->1454 1455 6e4db3d-6e4db40 1453->1455 1454->1455 1456 6e4db42 1455->1456 1457 6e4db4f-6e4db51 1455->1457 1461 6e4db48-6e4db4a 1456->1461 1458 6e4db53 1457->1458 1459 6e4db58-6e4db5b 1457->1459 1458->1459 1459->1451 1462 6e4db5d-6e4db6c 1459->1462 1461->1457 1465 6e4dcf1-6e4dd1b 1462->1465 1466 6e4db72-6e4dbab 1462->1466 1469 6e4dd1c 1465->1469 1473 6e4dbad-6e4dbb7 1466->1473 1474 6e4dbf9-6e4dc1d 1466->1474 1469->1469 1478 6e4dbcf-6e4dbf7 1473->1478 1479 6e4dbb9-6e4dbbf 1473->1479 1480 6e4dc27-6e4dceb 1474->1480 1481 6e4dc1f 1474->1481 1478->1473 1478->1474 1482 6e4dbc1 1479->1482 1483 6e4dbc3-6e4dbc5 1479->1483 1480->1465 1480->1466 1481->1480 1482->1478 1483->1478
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PHq
                                            • API String ID: 0-3820536768
                                            • Opcode ID: 2dee82e9a944c3b2cd31bf7022eacb2fdb728128362257b80446d8d80622e6f8
                                            • Instruction ID: 0f9bfa004e9b3e41081dd435d7b470030b78a6b5f12dfdab22aba0400a9ae672
                                            • Opcode Fuzzy Hash: 2dee82e9a944c3b2cd31bf7022eacb2fdb728128362257b80446d8d80622e6f8
                                            • Instruction Fuzzy Hash: F7416E70E003099FDB64EF75E85469EBBB2FF85304F20492AE406EB244DB75E846CB91
                                            Function 06E421C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1489 6e421c8-6e421e3 1490 6e421e5-6e421e8 1489->1490 1491 6e421ea-6e42206 1490->1491 1492 6e4220b-6e4220d 1490->1492 1491->1492 1493 6e42214-6e42217 1492->1493 1494 6e4220f 1492->1494 1493->1490 1496 6e42219-6e4223f 1493->1496 1494->1493 1501 6e42246-6e42274 1496->1501 1506 6e42276-6e42280 1501->1506 1507 6e422eb-6e4230f 1501->1507 1511 6e42282-6e42288 1506->1511 1512 6e42298-6e422e9 1506->1512 1513 6e42311 1507->1513 1514 6e42319 1507->1514 1515 6e4228c-6e4228e 1511->1515 1516 6e4228a 1511->1516 1512->1506 1512->1507 1513->1514 1515->1512 1516->1512
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PHq
                                            • API String ID: 0-3820536768
                                            • Opcode ID: 1accab90d8f5a82525148fb0bb24917179f56a557e91f67d20d270d64c4037a1
                                            • Instruction ID: e39a28798f4aa66ec780aafbacd59697d84401e430af443dee42880afcf4738e
                                            • Opcode Fuzzy Hash: 1accab90d8f5a82525148fb0bb24917179f56a557e91f67d20d270d64c4037a1
                                            • Instruction Fuzzy Hash: BE31C130B003058FDB54AB75E4147AE7BA3AF89604B248528E502DB398DF35DD46CB99
                                            Function 06E482EE Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q
                                            • API String ID: 0-1301096350
                                            • Opcode ID: abe81315a4f615dab3e1a6e72a60736476b4cd8836a43bc348aedcb30effc413
                                            • Instruction ID: b6ec5b02772841d49a0e4be55f7207e7286a4a94983fb9cc0c8e60ddd5f4c9e0
                                            • Opcode Fuzzy Hash: abe81315a4f615dab3e1a6e72a60736476b4cd8836a43bc348aedcb30effc413
                                            • Instruction Fuzzy Hash: A6F0E535F04301CFEF686966F9483BA7364EB40258F1460A2CD00C7100D775ED44C691
                                            Function 06E461D8 Relevance: .2, Instructions: 229COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f0ea6d8b3a099cc8482675b621ed459b842af3bd2965cb2dd189752e1f881661
                                            • Instruction ID: 635cc2df9d6d53ab6e6cb52d2c83c7e207f09cf0e73e1591e41845d62aa93609
                                            • Opcode Fuzzy Hash: f0ea6d8b3a099cc8482675b621ed459b842af3bd2965cb2dd189752e1f881661
                                            • Instruction Fuzzy Hash: FC61E171F002214BDF54AA7ED8806AEBBE7AFC5220B154439D80EDB324DE75DD0287D5
                                            Function 06E44278 Relevance: .2, Instructions: 228COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2b3a32a777b1f76f22dcbc0903968da8ff3091085abcdeb8403df90176c1b101
                                            • Instruction ID: bcfebc323cbf765de5196907abe10c553b14d34210585476bbc8b78fdda8975f
                                            • Opcode Fuzzy Hash: 2b3a32a777b1f76f22dcbc0903968da8ff3091085abcdeb8403df90176c1b101
                                            • Instruction Fuzzy Hash: 9B811C74B003098BDF54EFB9D4547AEBBE2EF89304F149529D409EB398EA35DC428791
                                            Function 06E44598 Relevance: .2, Instructions: 221COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b8c7c1e64611d62d6c3b2e8d28cca2bf6e5ee46fd6e9e8dd0f989789054d5485
                                            • Instruction ID: 3bffe98fce5ce42927ed80fbf80287bab996fe9bea1ed70c6c0e403f994a2562
                                            • Opcode Fuzzy Hash: b8c7c1e64611d62d6c3b2e8d28cca2bf6e5ee46fd6e9e8dd0f989789054d5485
                                            • Instruction Fuzzy Hash: 1B914D30E10319CBDF60DF68C890B9DB7B1FF89314F208699D549AB295DB70AA85CF91
                                            Function 06E4AF18 Relevance: .2, Instructions: 215COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 63f3eed302c8b570038cc787c1dcec4c903f981b43c258fd735f50fb6d7cb941
                                            • Instruction ID: 25ecc1d3580fe73fbcbee132ecce342022eaa040d5fd0b14b351c8fba04a6de7
                                            • Opcode Fuzzy Hash: 63f3eed302c8b570038cc787c1dcec4c903f981b43c258fd735f50fb6d7cb941
                                            • Instruction Fuzzy Hash: 5D715E30E003198BDB54EFB9D4506AEB7B2FFC9304F508529D505AB358EB74D94ACB81
                                            Function 06E445B0 Relevance: .2, Instructions: 210COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2bca5c061aa3da855a7929588f19adf4c58b8cee3ff48d8baa4008ec7bc74052
                                            • Instruction ID: 50f07a672d84c01e0d61e41877d79ef3f0eb4d937c28d9d5383f013cca29249a
                                            • Opcode Fuzzy Hash: 2bca5c061aa3da855a7929588f19adf4c58b8cee3ff48d8baa4008ec7bc74052
                                            • Instruction Fuzzy Hash: D0912B34E10719CBDF60DF68C890B9DB7B1FF89314F208699D549AB294DB70AA85CF90
                                            Function 06E4EF10 Relevance: .2, Instructions: 207COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 69f2d89642305e9ef213d52eddc1a9d588a8cbed37bce7c29506c73feef6ee92
                                            • Instruction ID: 9b0683868413d3d634e461a4567daeae6fbe8412e1538e2ed6f2e60333734136
                                            • Opcode Fuzzy Hash: 69f2d89642305e9ef213d52eddc1a9d588a8cbed37bce7c29506c73feef6ee92
                                            • Instruction Fuzzy Hash: BA714B70E012099FDB54EFA9E980A9DBBF6FF88304F249569E005AB355DB34EC46CB50
                                            Function 06E4EF20 Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e9dd2ee1690db37ed8a41d1b4771d84d86bfccfffa893332bd98f58c9ee5ef8f
                                            • Instruction ID: be9573ed9b3b2b9bd46df269c9ad5c19475b712a3c2fded21ad981143b3ca259
                                            • Opcode Fuzzy Hash: e9dd2ee1690db37ed8a41d1b4771d84d86bfccfffa893332bd98f58c9ee5ef8f
                                            • Instruction Fuzzy Hash: CF712B70E002099FDB54EFA9D980A9EBBF6FF88304F249469E405AB355DB34EC46CB51
                                            Function 06E44B48 Relevance: .2, Instructions: 186COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c11c2c5db1569d6fd867e922e0b2a96d4424a21caa18a89edc1482c6bafbc582
                                            • Instruction ID: 1dd22efc78372db73c48fff4f514426f3e1b5c1388f47848c2b700d84f5afef3
                                            • Opcode Fuzzy Hash: c11c2c5db1569d6fd867e922e0b2a96d4424a21caa18a89edc1482c6bafbc582
                                            • Instruction Fuzzy Hash: B6614170F00219DFEB549BB9D8547AEBBF6FF88300F20852AD505AB395DE754C458B90
                                            Function 06E4FC78 Relevance: .2, Instructions: 180COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8c6fd087564be8dd7862718784951b180e6263c991e59ffc4a397b138b12e537
                                            • Instruction ID: 5776e08a1dab17e48176685559a932c9b5fed9d565ea40789886786d62608b98
                                            • Opcode Fuzzy Hash: 8c6fd087564be8dd7862718784951b180e6263c991e59ffc4a397b138b12e537
                                            • Instruction Fuzzy Hash: CF51EE31E00205DFDB24AFB8E4846ADBBB2EF88325F10886AE106DB254DB358855CB80
                                            Function 06E4FA28 Relevance: .2, Instructions: 172COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d126396ebdb958f2ebba26c08eb77ff4603586ed1eddc5bd1279846a8ec7f8a
                                            • Instruction ID: 897d99f33f9526fc9ff743bbf4691a3a38b148cd5e3fea7823328631492954ad
                                            • Opcode Fuzzy Hash: 0d126396ebdb958f2ebba26c08eb77ff4603586ed1eddc5bd1279846a8ec7f8a
                                            • Instruction Fuzzy Hash: 4151C970F203149BFF70667DE85476F265AEBCA715F20542AE50BD7394C978CC8287A2
                                            Function 06E4FA38 Relevance: .2, Instructions: 163COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0429f93ad3966d61e763755864c64323f780c195f0b3a6b61b00f97e9982b0f9
                                            • Instruction ID: 16e760ddbffa31809d56f983465ac195e3f4234ff9eef7fec83dca9264fcd0ea
                                            • Opcode Fuzzy Hash: 0429f93ad3966d61e763755864c64323f780c195f0b3a6b61b00f97e9982b0f9
                                            • Instruction Fuzzy Hash: CF51B570F203149BFF60667DE854B6F265BE7CA715F20542AE50BD7394C978CC8287A2
                                            Function 06E44B39 Relevance: .1, Instructions: 142COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d3f30925e61d1fe9cdbf185418ac39cc19afc21e8686391da6da8b65d4347743
                                            • Instruction ID: c1b9494c67efa7e17d2dbb1725c44a376a806635817b3dd62a75f10f5febc1bd
                                            • Opcode Fuzzy Hash: d3f30925e61d1fe9cdbf185418ac39cc19afc21e8686391da6da8b65d4347743
                                            • Instruction Fuzzy Hash: B8515E70F002189FDB549FA9D854BAEBBF6FF89700F20852ED505AB399DE758C418B90
                                            Function 06E453F0 Relevance: .1, Instructions: 135COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: edfcd76707e6f2715966f1dee30f9c4f3bb94f0a9802db5dd7aa48f088c93c44
                                            • Instruction ID: acd9abfb24d9d26038a12799e04e2c9008a3cfc9e08730d634c83212cb69824c
                                            • Opcode Fuzzy Hash: edfcd76707e6f2715966f1dee30f9c4f3bb94f0a9802db5dd7aa48f088c93c44
                                            • Instruction Fuzzy Hash: 2741B031E007098FDF70DFA9E880BBFF7B2EB85214F10592AE11AD7650D234A956CB91
                                            Function 06E4D968 Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 61e484d721c215d6ed38cb63b2c07d61950c9d2b16103cd49a477987e4dac271
                                            • Instruction ID: 18dd00c6d5eee51df6474bd011bd4242bbe509b648f98d3e9f24ae024abe4996
                                            • Opcode Fuzzy Hash: 61e484d721c215d6ed38cb63b2c07d61950c9d2b16103cd49a477987e4dac271
                                            • Instruction Fuzzy Hash: 82316170E1071A8BDB25DF79E84069EB7B2FF88304F109929E405EB344EB71E9468B81
                                            Function 06E42078 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0dd901b7b5db79056a6b2c9e639100617ca776d6a3472e589b1b759f866909f7
                                            • Instruction ID: 8f8298b0ef6c701c58952caa44a617ee76420a343db87f75c2f453f27a477f8c
                                            • Opcode Fuzzy Hash: 0dd901b7b5db79056a6b2c9e639100617ca776d6a3472e589b1b759f866909f7
                                            • Instruction Fuzzy Hash: ED318B31E00209DFCB58DF65D85069EB7B2EF88300F109529E906EB354EB71ED46CB50
                                            Function 06E42088 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6a6c91c1ff394770584c2bfe6a63bb868e7680c67fd0cba6eef1056b76b4b14c
                                            • Instruction ID: 199647d1601e901591f03e1c09126889132979f9a819c8d80a942e768dc4ab2f
                                            • Opcode Fuzzy Hash: 6a6c91c1ff394770584c2bfe6a63bb868e7680c67fd0cba6eef1056b76b4b14c
                                            • Instruction Fuzzy Hash: 6E316731E10209DFCB58DF65D894AAEB7B2EF89300F108529E906EB354EB71AD46CB50
                                            Function 0143D006 Relevance: .1, Instructions: 84COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2524198925.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_143d000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9dfd38bf848e978ccd9a751e4b24cf8688a677f0f5ab8c544c760382a3856aeb
                                            • Instruction ID: dd2ec8542bb00b8f2c5b10fdb2f59672a8172286840913002edd962da1811346
                                            • Opcode Fuzzy Hash: 9dfd38bf848e978ccd9a751e4b24cf8688a677f0f5ab8c544c760382a3856aeb
                                            • Instruction Fuzzy Hash: DD312A7550E3C09FDB178F64C9A4711BF71AF47214F1985DBD8898F2A7C23A980ACB62
                                            Function 06E43A78 Relevance: .1, Instructions: 84COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 70fe246f4cba950ae06d4e56c38714bd75e3b7da1498e772729bddd16a6ea93a
                                            • Instruction ID: c37cf28fe9606b61c9652df7b30a1d8bfb881b68c3c83554c6c5cd2b092b39d8
                                            • Opcode Fuzzy Hash: 70fe246f4cba950ae06d4e56c38714bd75e3b7da1498e772729bddd16a6ea93a
                                            • Instruction Fuzzy Hash: 95212875A003599FDB40DF6AE940BAEBBF5EB48350F108025E905E7354EB34DD858B94
                                            Function 06E43A88 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 90fde8792178c7296900299f0b3b7cb3db136308718ce047ab8e12276a207157
                                            • Instruction ID: 4f6aa94604dbdb0e61363b72f68f6ca95d3c77bb1b2138b0b6c1013e828276e0
                                            • Opcode Fuzzy Hash: 90fde8792178c7296900299f0b3b7cb3db136308718ce047ab8e12276a207157
                                            • Instruction Fuzzy Hash: 47214675E003559FDB40DF6AE980BAEBBF5EB48350F148029E905E7394EB34DD808B90
                                            Function 06E46D00 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0be2a3f43c56f64561584fb19e7e55af376090fa912689e2bf27017bf0187381
                                            • Instruction ID: f80d6552c864fec06b766c49c865bbd2a7b2b79e59f5ae8a9a16e663d8bd4071
                                            • Opcode Fuzzy Hash: 0be2a3f43c56f64561584fb19e7e55af376090fa912689e2bf27017bf0187381
                                            • Instruction Fuzzy Hash: 9E218030B112189BDF54FF69F4546ADBBB6EF89314F249429E505D7344EB36AC418BC0
                                            Function 0143D044 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2524198925.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_143d000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6cb1d2498187d054fc910646a6811eb6ae09713cd4447bba5305211718a3da25
                                            • Instruction ID: fbdc990a537dfa8387c29bd32a04854d6f8cb385f7e7853b46f04e8b2bef1e3d
                                            • Opcode Fuzzy Hash: 6cb1d2498187d054fc910646a6811eb6ae09713cd4447bba5305211718a3da25
                                            • Instruction Fuzzy Hash: 6221F1B1904204EFDB15DF64C980B26FB65EB88718F60C56EE9090B3A2C736D447CA62
                                            Function 06E43B98 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ce33c87e4634d88104eac5b2dc19e431656aebd6b1a0eb6e662d90f85f3a7a21
                                            • Instruction ID: 2d032094940978e127b872d5fa46f01299f60b69ee1c0d29589a3982003faa8d
                                            • Opcode Fuzzy Hash: ce33c87e4634d88104eac5b2dc19e431656aebd6b1a0eb6e662d90f85f3a7a21
                                            • Instruction Fuzzy Hash: 27116131B106288FDB98AA7AD8146EE77AAEBC8310F108539D506EB348DE35DC4587D1
                                            Function 06E441D8 Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6b584fc3d85cdfcea4e819a356a062bbd6675400811dcdbc2961dcf1f89a1690
                                            • Instruction ID: e2d4a786bd28343742c801789cc00ecf1d870c0116681d8f6564427fda5ff09f
                                            • Opcode Fuzzy Hash: 6b584fc3d85cdfcea4e819a356a062bbd6675400811dcdbc2961dcf1f89a1690
                                            • Instruction Fuzzy Hash: 2A01B131B042209FDB60AABDA814B2BB7D6EBC9714F20883AE509C7389DD65DC028395
                                            Function 06E4F191 Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82bb285e1f86284dd96b5651e60c5b7e0b162018ff8c105db109c81225df55c1
                                            • Instruction ID: d9cdd40a9cc38d9d02807ae991b22e7ddbf3e4d76ba129ea823c5cf7e4bac38d
                                            • Opcode Fuzzy Hash: 82bb285e1f86284dd96b5651e60c5b7e0b162018ff8c105db109c81225df55c1
                                            • Instruction Fuzzy Hash: 26014C30B003504BCB61A97DE890F2B7BE6EBCAB14F14883AF40AC7345DD25DC064395
                                            Function 06E4A300 Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1dd7f97a3ba3f7e31cd654556292c81cda42a997d4439dbbe822a20e7115e04b
                                            • Instruction ID: ae5428e6d2b788b268fa24fe7036554b8240080422dae897cd57c46702e0dd0e
                                            • Opcode Fuzzy Hash: 1dd7f97a3ba3f7e31cd654556292c81cda42a997d4439dbbe822a20e7115e04b
                                            • Instruction Fuzzy Hash: 1801D270F002105BC761EA7DE824B1E77E5EB8A724F10987EE40AC7355FA25DC018391
                                            Function 06E43850 Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8257eb139b19600b33ffb2a93e40f7cfc2864a5ecf7cdf38ab22868ecd5af85e
                                            • Instruction ID: 9a10c02ed7c9d22c7179e0afb686a51e67f0e62f0c7db4511fd1ad47c2cb6f4c
                                            • Opcode Fuzzy Hash: 8257eb139b19600b33ffb2a93e40f7cfc2864a5ecf7cdf38ab22868ecd5af85e
                                            • Instruction Fuzzy Hash: 5121D3B5D01219EFDB10DF9AD885ACEFBF8FB48314F10812AE918A7240D3756954CFA5
                                            Function 06E43B88 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1f220d0ff631c4e853759779d9d334dda925b2e190a60d1c29caaddf9b61a39e
                                            • Instruction ID: 8a21105f37f6d2520d8dd88d0bbd057c83044a63abfdcd4c440f1b7ffc77ce3d
                                            • Opcode Fuzzy Hash: 1f220d0ff631c4e853759779d9d334dda925b2e190a60d1c29caaddf9b61a39e
                                            • Instruction Fuzzy Hash: DB018F36B101288BEB949A7AE8107EF77EBEBC8311F10853AD505E7388DE24CC0687D1
                                            Function 06E43858 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d354439290b21664cc2b38820db5c79f56c7c3b3a9ba1b57bc263bf07d768677
                                            • Instruction ID: 1b355366e633cb67963944c198136868a0d91a5044416af8b2a22f8a33f2f472
                                            • Opcode Fuzzy Hash: d354439290b21664cc2b38820db5c79f56c7c3b3a9ba1b57bc263bf07d768677
                                            • Instruction Fuzzy Hash: 4311DDB5D01219AFDB10DF9AD884ACEFBF8FB48310F10812AE918A7240D375A944CFA5
                                            Function 06E441E8 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fd975a3c4f7ab5b25211f86ccc01203a8384cbd775ff635f1ceb70b8dc97709c
                                            • Instruction ID: d58353925a5846f6a7434af9f0ce44d818d2527d7466dbece63d1a5bae167b74
                                            • Opcode Fuzzy Hash: fd975a3c4f7ab5b25211f86ccc01203a8384cbd775ff635f1ceb70b8dc97709c
                                            • Instruction Fuzzy Hash: 34018635F002108BDB64A9BDA41471FA3DBEBC9714F20C43AE50AC7788DD65DC024395
                                            Function 06E4F1A0 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ccea364f269eacb4ee35c9a8d634d1f60066b5668427b5d1320127be6c08739a
                                            • Instruction ID: d1476d0e0714ae2790441a7ef968fd392816a0578fb828cc7e960d64909f18d6
                                            • Opcode Fuzzy Hash: ccea364f269eacb4ee35c9a8d634d1f60066b5668427b5d1320127be6c08739a
                                            • Instruction Fuzzy Hash: DD01A475B102104BDB64A97DE894B2F73DAEBC9B14F149839F50AC7344ED25DC024395
                                            Function 06E4A310 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c43aecd9ac6717289eb1ce83e6d83138976a3b2d16941270246967bdc0349689
                                            • Instruction ID: 8eb6f1eaec7f6601bf9bb0a1fc4e4a30e435c74bc063f8fd071533c15943536b
                                            • Opcode Fuzzy Hash: c43aecd9ac6717289eb1ce83e6d83138976a3b2d16941270246967bdc0349689
                                            • Instruction Fuzzy Hash: 2601A470F002205FDB60EA7DE854B1E73D6EB89B24F509839E40AC7348ED25EC428791
                                            Function 06E46461 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0df61a4e12a792955956c1cef52938b9cd65fd3b76d1cdd988bfc99a4e73352c
                                            • Instruction ID: 5ea37e169f6b20479d5957b5dc88a644943e2d3204f1d4e3d192d69d5764a75f
                                            • Opcode Fuzzy Hash: 0df61a4e12a792955956c1cef52938b9cd65fd3b76d1cdd988bfc99a4e73352c
                                            • Instruction Fuzzy Hash: 71E092B1E613086BEF60EE74E96568A7BAEE743358F2048A5D444CB101E633D9168391

                                            Non-executed Functions

                                            Function 06E47698 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                            • API String ID: 0-1298971921
                                            • Opcode ID: bb33213fcd30e052889d2a5a08ad194cbbdc20231250232b22a262a34529b640
                                            • Instruction ID: ce1fb1fe38cc675a365394bd0bfda0217a55975dbc578f6049279e0942e4a6b7
                                            • Opcode Fuzzy Hash: bb33213fcd30e052889d2a5a08ad194cbbdc20231250232b22a262a34529b640
                                            • Instruction Fuzzy Hash: 6A120830E003198FDF64EF79D954A9EB7B2BF88304F2495A9D40AAB254DB349D85CB81
                                            Function 06E4A930 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q$$q$$q$$q$$q
                                            • API String ID: 0-3886557441
                                            • Opcode ID: ec04c9e8aa0395329bd0be48501bb0214697877a9e9d133e2fdfb3523cd341b5
                                            • Instruction ID: 29c3eead8e7e0aec15f7fdb846f653f3041ababcb5ce7481e7d8e3573ef3f5c1
                                            • Opcode Fuzzy Hash: ec04c9e8aa0395329bd0be48501bb0214697877a9e9d133e2fdfb3523cd341b5
                                            • Instruction Fuzzy Hash: 2C916B30A403099FEB64EF79EA447AEB7B2FF84314F149539E4029B298DB749C45CB91
                                            Function 06E47098 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q$$q$$q
                                            • API String ID: 0-2069967915
                                            • Opcode ID: bbd897f909ad41c6cea8f026ab2f97f55ceceb2aeceb83a2676f27525ddd9929
                                            • Instruction ID: 4c0c2f049936604e6b12628e4d02a104ece1f522fd256b472d6c4d5f0f5895e0
                                            • Opcode Fuzzy Hash: bbd897f909ad41c6cea8f026ab2f97f55ceceb2aeceb83a2676f27525ddd9929
                                            • Instruction Fuzzy Hash: 44F12930B013058FDB58EF69D554A6EB7B6FF84344F248569E4069B3A4DB39EC82CB81
                                            Function 06E483D0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q
                                            • API String ID: 0-4102054182
                                            • Opcode ID: 72e2eb0b31d6cba636e71b89b21b638f8de299cb97e93797ccd03101128dd190
                                            • Instruction ID: eb3d902a89a78636c8de874584a239ac00979c2286b9085c59952a9cb0f5ead3
                                            • Opcode Fuzzy Hash: 72e2eb0b31d6cba636e71b89b21b638f8de299cb97e93797ccd03101128dd190
                                            • Instruction Fuzzy Hash: C9B13A30A103198BDB64EF79E5546AEB7B2FF88304F249969D406DB394DB34DC82CB81
                                            Function 06E487E8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2542277011.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_6e40000_LisectAVT_2403002A_133.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LRq$LRq$$q$$q
                                            • API String ID: 0-2204215535
                                            • Opcode ID: 083ce48b2920151f6c9c97fce088a040eae37c920cd7753bef35496928141d29
                                            • Instruction ID: d2cf085d1e1c7d1fb1a5d7902ea5bff466bd34c37816ecaf59544ee07339b552
                                            • Opcode Fuzzy Hash: 083ce48b2920151f6c9c97fce088a040eae37c920cd7753bef35496928141d29
                                            • Instruction Fuzzy Hash: F351B230B003019FDB58EF39E940A6AB7F2FF88704F149569E5069B3A4DA35EC81CB95

                                            Execution Graph

                                            Execution Coverage:11.4%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:177
                                            Total number of Limit Nodes:7
                                            execution_graph 21095 2713bb1 21096 2713bbb 21095->21096 21098 271388c 21095->21098 21097 2713a7a 21098->21097 21101 2715561 21098->21101 21118 2715568 21098->21118 21102 2715582 21101->21102 21115 27155a6 21102->21115 21135 2715bb5 21102->21135 21140 2715acf 21102->21140 21145 2715b2d 21102->21145 21150 2715c4b 21102->21150 21154 271598b 21102->21154 21161 2715a6b 21102->21161 21166 2715e89 21102->21166 21170 2715f49 21102->21170 21175 2715b09 21102->21175 21180 2715e67 21102->21180 21185 2715c84 21102->21185 21190 2715e03 21102->21190 21195 27159fb 21102->21195 21200 2715cb9 21102->21200 21115->21097 21119 2715582 21118->21119 21120 2715bb5 2 API calls 21119->21120 21121 2715cb9 2 API calls 21119->21121 21122 27159fb 2 API calls 21119->21122 21123 2715e03 2 API calls 21119->21123 21124 27155a6 21119->21124 21125 2715c84 2 API calls 21119->21125 21126 2715e67 2 API calls 21119->21126 21127 2715b09 2 API calls 21119->21127 21128 2715f49 2 API calls 21119->21128 21129 2715e89 2 API calls 21119->21129 21130 2715a6b 2 API calls 21119->21130 21131 271598b 4 API calls 21119->21131 21132 2715c4b 2 API calls 21119->21132 21133 2715b2d 2 API calls 21119->21133 21134 2715acf 2 API calls 21119->21134 21120->21124 21121->21124 21122->21124 21123->21124 21124->21097 21125->21124 21126->21124 21127->21124 21128->21124 21129->21124 21130->21124 21131->21124 21132->21124 21133->21124 21134->21124 21136 2715bbb 21135->21136 21204 2712730 21136->21204 21208 2712728 21136->21208 21137 2715ba2 21137->21115 21141 2715a04 21140->21141 21142 2715a16 21141->21142 21212 27132d1 21141->21212 21216 27132d8 21141->21216 21142->21115 21146 2715b33 21145->21146 21220 27131e0 21146->21220 21224 27131e8 21146->21224 21147 2715b65 21147->21115 21228 27127e0 21150->21228 21232 27127d8 21150->21232 21151 2715c65 21151->21115 21236 2713470 21154->21236 21240 2713464 21154->21240 21155 27159d5 21156 2715a16 21155->21156 21159 27132d1 ReadProcessMemory 21155->21159 21160 27132d8 ReadProcessMemory 21155->21160 21156->21115 21156->21156 21159->21156 21160->21156 21162 2715a71 21161->21162 21164 27132d1 ReadProcessMemory 21162->21164 21165 27132d8 ReadProcessMemory 21162->21165 21163 2715a90 21163->21115 21164->21163 21165->21163 21244 2713120 21166->21244 21248 2713128 21166->21248 21167 2715ea7 21171 2715b44 21170->21171 21172 2715b65 21170->21172 21173 27131e0 WriteProcessMemory 21171->21173 21174 27131e8 WriteProcessMemory 21171->21174 21172->21115 21173->21172 21174->21172 21176 2715b0e 21175->21176 21177 2715ba2 21176->21177 21178 2712730 ResumeThread 21176->21178 21179 2712728 ResumeThread 21176->21179 21177->21115 21178->21177 21179->21177 21181 2715e71 21180->21181 21183 27131e0 WriteProcessMemory 21181->21183 21184 27131e8 WriteProcessMemory 21181->21184 21182 271621e 21183->21182 21184->21182 21186 2715c8d 21185->21186 21188 27131e0 WriteProcessMemory 21186->21188 21189 27131e8 WriteProcessMemory 21186->21189 21187 2715ca5 21188->21187 21189->21187 21191 2715a04 21190->21191 21192 2715a16 21191->21192 21193 27132d1 ReadProcessMemory 21191->21193 21194 27132d8 ReadProcessMemory 21191->21194 21192->21115 21193->21192 21194->21192 21196 2715a04 21195->21196 21197 2715a16 21196->21197 21198 27132d1 ReadProcessMemory 21196->21198 21199 27132d8 ReadProcessMemory 21196->21199 21197->21115 21198->21197 21199->21197 21202 27127e0 Wow64SetThreadContext 21200->21202 21203 27127d8 Wow64SetThreadContext 21200->21203 21201 2715cd3 21202->21201 21203->21201 21205 2712770 ResumeThread 21204->21205 21207 27127a1 21205->21207 21207->21137 21209 2712770 ResumeThread 21208->21209 21211 27127a1 21209->21211 21211->21137 21213 2713323 ReadProcessMemory 21212->21213 21215 2713367 21213->21215 21215->21142 21217 2713323 ReadProcessMemory 21216->21217 21219 2713367 21217->21219 21219->21142 21221 2713230 WriteProcessMemory 21220->21221 21223 2713287 21221->21223 21223->21147 21225 2713230 WriteProcessMemory 21224->21225 21227 2713287 21225->21227 21227->21147 21229 2712825 Wow64SetThreadContext 21228->21229 21231 271286d 21229->21231 21231->21151 21233 2712825 Wow64SetThreadContext 21232->21233 21235 271286d 21233->21235 21235->21151 21237 27134a1 CreateProcessA 21236->21237 21239 27136bb 21237->21239 21241 271346a CreateProcessA 21240->21241 21243 27136bb 21241->21243 21245 2713168 VirtualAllocEx 21244->21245 21247 27131a5 21245->21247 21247->21167 21249 2713168 VirtualAllocEx 21248->21249 21251 27131a5 21249->21251 21251->21167 21257 256f9c0 21258 256fa06 GetCurrentProcess 21257->21258 21260 256fa51 21258->21260 21261 256fa58 GetCurrentThread 21258->21261 21260->21261 21262 256fa95 GetCurrentProcess 21261->21262 21263 256fa8e 21261->21263 21264 256facb 21262->21264 21263->21262 21269 256fb90 21264->21269 21274 256ff7d 21264->21274 21265 256faf3 GetCurrentThreadId 21266 256fb24 21265->21266 21270 256fb94 21269->21270 21271 256fc11 DuplicateHandle 21270->21271 21273 256fb9b 21270->21273 21272 256fc9e 21271->21272 21272->21265 21273->21265 21275 256ff8e 21274->21275 21275->21265 21276 256d630 21279 256d717 21276->21279 21277 256d63f 21280 256d722 21279->21280 21281 256d6e7 21279->21281 21282 256d75c 21280->21282 21288 256d9c0 21280->21288 21292 256d9b0 21280->21292 21281->21277 21282->21277 21283 256d960 GetModuleHandleW 21285 256d98d 21283->21285 21284 256d754 21284->21282 21284->21283 21285->21277 21289 256d9d4 21288->21289 21290 256d9f9 21289->21290 21296 256d128 21289->21296 21290->21284 21293 256d9b4 21292->21293 21294 256d128 LoadLibraryExW 21293->21294 21295 256d9f9 21293->21295 21294->21295 21295->21284 21297 256dba0 LoadLibraryExW 21296->21297 21299 256dc19 21297->21299 21299->21290 21252 27139f8 21253 271388c 21252->21253 21254 2713a7a 21253->21254 21255 2715561 12 API calls 21253->21255 21256 2715568 12 API calls 21253->21256 21255->21254 21256->21254 21300 2716848 21301 27169d3 21300->21301 21303 271686e 21300->21303 21303->21301 21304 2714cac 21303->21304 21305 2716ac8 PostMessageW 21304->21305 21306 2716b34 21305->21306 21306->21303 21312 2564668 21313 2564672 21312->21313 21315 2564759 21312->21315 21316 256475c 21315->21316 21320 2564858 21316->21320 21324 2564868 21316->21324 21322 256485c 21320->21322 21321 256496c 21321->21321 21322->21321 21328 25644b4 21322->21328 21325 256486a 21324->21325 21326 25644b4 CreateActCtxA 21325->21326 21327 256496c 21325->21327 21326->21327 21329 25658f8 CreateActCtxA 21328->21329 21331 25659bb 21329->21331

                                            Executed Functions

                                            Function 0256F9B3 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 298 256f9b3-256fa4f GetCurrentProcess 302 256fa51-256fa57 298->302 303 256fa58-256fa8c GetCurrentThread 298->303 302->303 304 256fa95-256fac9 GetCurrentProcess 303->304 305 256fa8e-256fa94 303->305 307 256fad2-256faea 304->307 308 256facb-256fad1 304->308 305->304 319 256faed call 256fb90 307->319 320 256faed call 256ff7d 307->320 308->307 311 256faf3-256fb22 GetCurrentThreadId 312 256fb24-256fb2a 311->312 313 256fb2b-256fb8d 311->313 312->313 319->311 320->311
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 0256FA3E
                                            • GetCurrentThread.KERNEL32 ref: 0256FA7B
                                            • GetCurrentProcess.KERNEL32 ref: 0256FAB8
                                            • GetCurrentThreadId.KERNEL32 ref: 0256FB11
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401629332.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2560000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 01d1465451d3f60341c74af2bc41b57a41bb539c06e85ea527a7ed06b2e65b6e
                                            • Instruction ID: f441cb9eeb8936c8d30a5d3b22609e5f0690d226587759a7361fbaa668f2dc3f
                                            • Opcode Fuzzy Hash: 01d1465451d3f60341c74af2bc41b57a41bb539c06e85ea527a7ed06b2e65b6e
                                            • Instruction Fuzzy Hash: 345156B1D00249CFEB14DFA9D648BEEBBF1FF48304F208459E409A7261D7359944CB66
                                            Function 0256F9C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 321 256f9c0-256fa4f GetCurrentProcess 325 256fa51-256fa57 321->325 326 256fa58-256fa8c GetCurrentThread 321->326 325->326 327 256fa95-256fac9 GetCurrentProcess 326->327 328 256fa8e-256fa94 326->328 330 256fad2-256faea 327->330 331 256facb-256fad1 327->331 328->327 342 256faed call 256fb90 330->342 343 256faed call 256ff7d 330->343 331->330 334 256faf3-256fb22 GetCurrentThreadId 335 256fb24-256fb2a 334->335 336 256fb2b-256fb8d 334->336 335->336 342->334 343->334
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 0256FA3E
                                            • GetCurrentThread.KERNEL32 ref: 0256FA7B
                                            • GetCurrentProcess.KERNEL32 ref: 0256FAB8
                                            • GetCurrentThreadId.KERNEL32 ref: 0256FB11
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401629332.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2560000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: e6f2ff3442bb387307165b11f0ef39d3424dcd88c856818628ce130ad861367b
                                            • Instruction ID: c8cb06fb41523f38737fc3649a89ae2da78bfeb06d1c17ca4db2936b46e4e772
                                            • Opcode Fuzzy Hash: e6f2ff3442bb387307165b11f0ef39d3424dcd88c856818628ce130ad861367b
                                            • Instruction Fuzzy Hash: F25144B1D00209CFEB14DFAAD648BEEBBF1FB88314F208459E409A7360D7759944CB66
                                            Function 02713464 Relevance: 1.8, APIs: 1, Instructions: 266processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 997 2713464-2713468 998 27134a1-2713505 997->998 999 271346a-271349b 997->999 1002 2713507-2713511 998->1002 1003 271353e-271355e 998->1003 999->998 1002->1003 1004 2713513-2713515 1002->1004 1008 2713560-271356a 1003->1008 1009 2713597-27135c6 1003->1009 1006 2713517-2713521 1004->1006 1007 2713538-271353b 1004->1007 1010 2713523 1006->1010 1011 2713525-2713534 1006->1011 1007->1003 1008->1009 1012 271356c-271356e 1008->1012 1019 27135c8-27135d2 1009->1019 1020 27135ff-27136b9 CreateProcessA 1009->1020 1010->1011 1011->1011 1013 2713536 1011->1013 1014 2713591-2713594 1012->1014 1015 2713570-271357a 1012->1015 1013->1007 1014->1009 1017 271357c 1015->1017 1018 271357e-271358d 1015->1018 1017->1018 1018->1018 1021 271358f 1018->1021 1019->1020 1022 27135d4-27135d6 1019->1022 1031 27136c2-2713748 1020->1031 1032 27136bb-27136c1 1020->1032 1021->1014 1023 27135f9-27135fc 1022->1023 1024 27135d8-27135e2 1022->1024 1023->1020 1026 27135e4 1024->1026 1027 27135e6-27135f5 1024->1027 1026->1027 1027->1027 1028 27135f7 1027->1028 1028->1023 1042 2713758-271375c 1031->1042 1043 271374a-271374e 1031->1043 1032->1031 1045 271376c-2713770 1042->1045 1046 271375e-2713762 1042->1046 1043->1042 1044 2713750 1043->1044 1044->1042 1048 2713780-2713784 1045->1048 1049 2713772-2713776 1045->1049 1046->1045 1047 2713764 1046->1047 1047->1045 1050 2713796-271379d 1048->1050 1051 2713786-271378c 1048->1051 1049->1048 1052 2713778 1049->1052 1053 27137b4 1050->1053 1054 271379f-27137ae 1050->1054 1051->1050 1052->1048 1056 27137b5 1053->1056 1054->1053 1056->1056
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 027136A6
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401969741.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2710000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 9753b2771175b5948af0230002aa13fe2414e6826b1907f7b0deb207faabf613
                                            • Instruction ID: 1a920579c650df3026f6ad71046ee9bca32a28ba7cf9025e6bdf07597800bdf2
                                            • Opcode Fuzzy Hash: 9753b2771175b5948af0230002aa13fe2414e6826b1907f7b0deb207faabf613
                                            • Instruction Fuzzy Hash: 0BA14B71D00229DFEF24CFA8C841BEDBBB2BF48314F1485AAD819A7240DB749985CF91
                                            Function 0256D717 Relevance: 1.8, APIs: 1, Instructions: 263COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1057 256d717-256d720 1058 256d6e7-256d6f5 1057->1058 1059 256d722 1057->1059 1069 256d6f7-256d702 1058->1069 1070 256d704-256d70c 1058->1070 1061 256d726-256d737 1059->1061 1062 256d724-256d725 1059->1062 1063 256d763-256d767 1061->1063 1064 256d739-256d746 call 256ac7c 1061->1064 1062->1061 1067 256d77b-256d7bc 1063->1067 1068 256d769-256d773 1063->1068 1073 256d75c 1064->1073 1074 256d748 1064->1074 1078 256d7be-256d7c6 1067->1078 1079 256d7c9-256d7d7 1067->1079 1068->1067 1072 256d70f-256d714 1069->1072 1070->1072 1073->1063 1124 256d74e call 256d9c0 1074->1124 1125 256d74e call 256d9b0 1074->1125 1078->1079 1080 256d7fb-256d7fd 1079->1080 1081 256d7d9-256d7de 1079->1081 1086 256d800-256d807 1080->1086 1083 256d7e0-256d7e7 call 256d0cc 1081->1083 1084 256d7e9 1081->1084 1082 256d754-256d756 1082->1073 1085 256d898-256d912 1082->1085 1088 256d7eb-256d7f9 1083->1088 1084->1088 1117 256d916-256d958 1085->1117 1118 256d914 1085->1118 1089 256d814-256d81b 1086->1089 1090 256d809-256d811 1086->1090 1088->1086 1092 256d81d-256d825 1089->1092 1093 256d828-256d831 call 256d0dc 1089->1093 1090->1089 1092->1093 1098 256d833-256d83b 1093->1098 1099 256d83e-256d843 1093->1099 1098->1099 1100 256d845-256d84c 1099->1100 1101 256d861-256d865 1099->1101 1100->1101 1103 256d84e-256d85e call 256d0ec call 256d0fc 1100->1103 1126 256d868 call 256dcc0 1101->1126 1127 256d868 call 256dcbb 1101->1127 1103->1101 1106 256d86b-256d86e 1108 256d870-256d88e 1106->1108 1109 256d891-256d897 1106->1109 1108->1109 1119 256d960-256d98b GetModuleHandleW 1117->1119 1120 256d95a-256d95d 1117->1120 1118->1117 1121 256d994-256d9a8 1119->1121 1122 256d98d-256d993 1119->1122 1120->1119 1122->1121 1124->1082 1125->1082 1126->1106 1127->1106
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401629332.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2560000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c8b382ed75b7577a2357fcc32953f2d8c00f602d73abaf55e6d267eda5c5db94
                                            • Instruction ID: d2c3e4b45a6a9e89b4051e7d94c68205512ce8e6e0b28e6f65b5207eb9e9addd
                                            • Opcode Fuzzy Hash: c8b382ed75b7577a2357fcc32953f2d8c00f602d73abaf55e6d267eda5c5db94
                                            • Instruction Fuzzy Hash: 33A16970A01B418FE725CF29D4587AABBF2FF88314F048A2ED086CB651D775E44ACB95
                                            Function 02713470 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1128 2713470-2713505 1131 2713507-2713511 1128->1131 1132 271353e-271355e 1128->1132 1131->1132 1133 2713513-2713515 1131->1133 1137 2713560-271356a 1132->1137 1138 2713597-27135c6 1132->1138 1135 2713517-2713521 1133->1135 1136 2713538-271353b 1133->1136 1139 2713523 1135->1139 1140 2713525-2713534 1135->1140 1136->1132 1137->1138 1141 271356c-271356e 1137->1141 1148 27135c8-27135d2 1138->1148 1149 27135ff-27136b9 CreateProcessA 1138->1149 1139->1140 1140->1140 1142 2713536 1140->1142 1143 2713591-2713594 1141->1143 1144 2713570-271357a 1141->1144 1142->1136 1143->1138 1146 271357c 1144->1146 1147 271357e-271358d 1144->1147 1146->1147 1147->1147 1150 271358f 1147->1150 1148->1149 1151 27135d4-27135d6 1148->1151 1160 27136c2-2713748 1149->1160 1161 27136bb-27136c1 1149->1161 1150->1143 1152 27135f9-27135fc 1151->1152 1153 27135d8-27135e2 1151->1153 1152->1149 1155 27135e4 1153->1155 1156 27135e6-27135f5 1153->1156 1155->1156 1156->1156 1157 27135f7 1156->1157 1157->1152 1171 2713758-271375c 1160->1171 1172 271374a-271374e 1160->1172 1161->1160 1174 271376c-2713770 1171->1174 1175 271375e-2713762 1171->1175 1172->1171 1173 2713750 1172->1173 1173->1171 1177 2713780-2713784 1174->1177 1178 2713772-2713776 1174->1178 1175->1174 1176 2713764 1175->1176 1176->1174 1179 2713796-271379d 1177->1179 1180 2713786-271378c 1177->1180 1178->1177 1181 2713778 1178->1181 1182 27137b4 1179->1182 1183 271379f-27137ae 1179->1183 1180->1179 1181->1177 1185 27137b5 1182->1185 1183->1182 1185->1185
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 027136A6
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401969741.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2710000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: caa33b333976ae8f31089a077d24588fb9caa98059248fe658d89b45f0ff11e5
                                            • Instruction ID: 1ace79dfe441670189a2d0738dd15d7266061ec357d17344c5a16594ec06e03f
                                            • Opcode Fuzzy Hash: caa33b333976ae8f31089a077d24588fb9caa98059248fe658d89b45f0ff11e5
                                            • Instruction Fuzzy Hash: DF914A71D00369DFEF24CF68C881BADBBB2BF48314F1485A9E808A7240DB749985CF91
                                            Function 025658EC Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1186 25658ec-25658ee 1187 25658f2 1186->1187 1188 25658f0 1186->1188 1189 25658f6-256596c 1187->1189 1190 25658f4-25658f5 1187->1190 1188->1187 1192 256596f-25659b9 CreateActCtxA 1189->1192 1190->1189 1194 25659c2-2565a1c 1192->1194 1195 25659bb-25659c1 1192->1195 1202 2565a1e-2565a21 1194->1202 1203 2565a2b-2565a2f 1194->1203 1195->1194 1202->1203 1204 2565a40-2565a70 1203->1204 1205 2565a31-2565a3d 1203->1205 1209 2565a22-2565a27 1204->1209 1210 2565a72-2565af4 1204->1210 1205->1204 1209->1203
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 025659A9
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401629332.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2560000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 7342bc9bd9046fbd6499027c5837c9fe9fffbcf2356f16bb51a52b4ca8278909
                                            • Instruction ID: f944f67d056c1fda6e9919a29fffefc4c5eeba2158c5665e5d975590e1b8b647
                                            • Opcode Fuzzy Hash: 7342bc9bd9046fbd6499027c5837c9fe9fffbcf2356f16bb51a52b4ca8278909
                                            • Instruction Fuzzy Hash: 2A4105B0C00719CFEB24CFA9C884B9EBBB5BF48304F60815AE409AB251D7756945CF54
                                            Function 0256FB90 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1213 256fb90-256fb92 1214 256fb96-256fb99 1213->1214 1215 256fb94 1213->1215 1216 256fc11-256fc9c DuplicateHandle 1214->1216 1217 256fb9b-256fb9e 1214->1217 1215->1214 1218 256fca5-256fcc2 1216->1218 1219 256fc9e-256fca4 1216->1219 1220 256fba2-256fbc9 call 256f550 1217->1220 1221 256fba0-256fba1 1217->1221 1219->1218 1225 256fbce-256fbf4 1220->1225 1221->1220
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401629332.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2560000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e77758b5f51deb60ee32092f1fb3f1bf348fa563fb2be342bff0acb47a64196f
                                            • Instruction ID: 8a5ae596f406f9ba00be6a5fafd9bea010f2654e6cd599cf14618bd61d731cce
                                            • Opcode Fuzzy Hash: e77758b5f51deb60ee32092f1fb3f1bf348fa563fb2be342bff0acb47a64196f
                                            • Instruction Fuzzy Hash: 83415776900249DFDB11CF99E844AEEBFF5FB48310F14805AE915A7321D3359914DFA4
                                            Function 025644B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1228 25644b4-25659b9 CreateActCtxA 1232 25659c2-2565a1c 1228->1232 1233 25659bb-25659c1 1228->1233 1240 2565a1e-2565a21 1232->1240 1241 2565a2b-2565a2f 1232->1241 1233->1232 1240->1241 1242 2565a40-2565a70 1241->1242 1243 2565a31-2565a3d 1241->1243 1247 2565a22-2565a27 1242->1247 1248 2565a72-2565af4 1242->1248 1243->1242 1247->1241
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 025659A9
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401629332.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2560000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 96645d95ad75933e7fa5321d4e0fd9641554ed444f3f15be4ba583c6d3ab1a88
                                            • Instruction ID: c3b6504d2dc194b2146865658aa1dc8c6cec4f738bf2a9b0efa1db71ab333552
                                            • Opcode Fuzzy Hash: 96645d95ad75933e7fa5321d4e0fd9641554ed444f3f15be4ba583c6d3ab1a88
                                            • Instruction Fuzzy Hash: B841D270C00719CFEF24DFAAC88479EBBB5BF49304F60806AD409AB255DB756945CF94
                                            Function 02565A64 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1251 2565a64-2565a70 1252 2565a22-2565a27 1251->1252 1253 2565a72-2565af4 1251->1253 1256 2565a2b-2565a2f 1252->1256 1257 2565a40-2565a41 1256->1257 1258 2565a31-2565a3d 1256->1258 1257->1251 1258->1257
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401629332.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2560000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9d0d6e60831157cb5a9b755a6a968b031e0264ddf595cf04b4788fabcb8380b2
                                            • Instruction ID: c2ac7e3a9f5bb2d3348958a676cb4efab70e07bd6f478e97bfd634557038a2b8
                                            • Opcode Fuzzy Hash: 9d0d6e60831157cb5a9b755a6a968b031e0264ddf595cf04b4788fabcb8380b2
                                            • Instruction Fuzzy Hash: 0F31DA70804789CFEF11CFA4C9587EEBBF1BF46308F944089C051AB255E7B6A90ACB14
                                            Function 027131E0 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1261 27131e0-2713236 1263 2713246-2713285 WriteProcessMemory 1261->1263 1264 2713238-2713244 1261->1264 1266 2713287-271328d 1263->1266 1267 271328e-27132be 1263->1267 1264->1263 1266->1267
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02713278
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401969741.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2710000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 0d97eef2dc66aa4714d5a4148f1be45b53846ec4abc70bf2fd07aa868a83a346
                                            • Instruction ID: 988d4fe10ff9a432bdb381a3b6e0a72367896879703cc2f61288d30a3c065c52
                                            • Opcode Fuzzy Hash: 0d97eef2dc66aa4714d5a4148f1be45b53846ec4abc70bf2fd07aa868a83a346
                                            • Instruction Fuzzy Hash: 222113B6900349DFDB14DFA9C981BEEBBF1FF48310F14842AE918A7250D7789950CBA5
                                            Function 027131E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02713278
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401969741.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2710000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 22a5f73b5e9ff2807fa879761eabe62dacd7fce52029a5be9744d10f2046e2dc
                                            • Instruction ID: b2e197b92f63ef093c43d92a83791058e799c863ab803fd7778b3091c078742c
                                            • Opcode Fuzzy Hash: 22a5f73b5e9ff2807fa879761eabe62dacd7fce52029a5be9744d10f2046e2dc
                                            • Instruction Fuzzy Hash: 9C212471900349DFDB14DFAAC981BEEBBF5FF48310F10842AE918A7240C7789940CBA5
                                            Function 0256FC00 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0256FC8F
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401629332.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2560000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 808c2a3257623abb07938995897b9f472304ff362473dae64e1237bbe371361a
                                            • Instruction ID: 8c40b175bcbec6bfcda45efd18b60403da304614a584465dea3ed79b1b9f0121
                                            • Opcode Fuzzy Hash: 808c2a3257623abb07938995897b9f472304ff362473dae64e1237bbe371361a
                                            • Instruction Fuzzy Hash: 9F2126B5D00248DFEB10CF9AD584ADEBFF5FB48310F14801AE914A3210C3349941CF65
                                            Function 027132D1 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02713358
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401969741.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2710000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: c00b9e173e421ac1bdbcf7fff38af2dd5fe1db3f684f0ab5b347df94631bc2cf
                                            • Instruction ID: 678dc3c31b9d757f833128c8aef90d5ae32ab1b35190cd13a98b29c6d01fccb4
                                            • Opcode Fuzzy Hash: c00b9e173e421ac1bdbcf7fff38af2dd5fe1db3f684f0ab5b347df94631bc2cf
                                            • Instruction Fuzzy Hash: 352107B2D003499FDB14CF99C9817EEBBF5FF48310F14842AE518A7240C73995459B65
                                            Function 027132D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02713358
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401969741.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2710000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: ca9fec5140ea523bf289865f49cb989fa78d86d5574debf908557dc812aee22c
                                            • Instruction ID: e271bb1137bcb8ce3f20eac25cec277332252e5277ec7048e371b620852a8fff
                                            • Opcode Fuzzy Hash: ca9fec5140ea523bf289865f49cb989fa78d86d5574debf908557dc812aee22c
                                            • Instruction Fuzzy Hash: 12211671C003499FDB14CFAAC980BEEBBF5FF48310F10842AE918A7240CB399541DBA5
                                            Function 027127E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0271285E
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401969741.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2710000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 6abc7da7f20fe8cb94cb9d0c46d0b119c23fe50319f241986eed46fad2113e74
                                            • Instruction ID: e4efbfdfd23c2a6ce0a7bc4ac0d2e16f075384f45fe85b9cceca848e99ed8369
                                            • Opcode Fuzzy Hash: 6abc7da7f20fe8cb94cb9d0c46d0b119c23fe50319f241986eed46fad2113e74
                                            • Instruction Fuzzy Hash: 8C213571D003088FDB14DFAAC485BEEBBF4EF48314F14842AD919A7241DB789945CFA5
                                            Function 027127D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0271285E
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401969741.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2710000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: c41c7f89671b05cd8309c0c4bfd3ae3f17c0edea169bf6563c3ff20b12861732
                                            • Instruction ID: 93895e7c79aa5993874f858416a866a574f6bbe8a62966e56d2ad22416dc71ce
                                            • Opcode Fuzzy Hash: c41c7f89671b05cd8309c0c4bfd3ae3f17c0edea169bf6563c3ff20b12861732
                                            • Instruction Fuzzy Hash: 0F2143B1D00308CFDB14CFAAC5817AEBBF4EF48214F14842AD959A7241DB389A45CBA4
                                            Function 0256FC08 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0256FC8F
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401629332.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2560000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 5d2f6a415ca8096a41c496b8258e111c3a61b60d5941c40cdd1b4e8437880f05
                                            • Instruction ID: 7ca7eafc389e9ddfe5d5e489b0d08861002953de72ccc6c6e447a8107c775447
                                            • Opcode Fuzzy Hash: 5d2f6a415ca8096a41c496b8258e111c3a61b60d5941c40cdd1b4e8437880f05
                                            • Instruction Fuzzy Hash: 3921E4B5D00248DFDB10CF9AD584ADEBBF9FB48310F14841AE914A7350D378A940CF65
                                            Function 02713120 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02713196
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401969741.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2710000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 4a89f5bfa77d2963e7064c5d9b1d87c56d1866d4b2b48ba96d2afc074a8c8728
                                            • Instruction ID: 7ed3d4c7c0832ec647c55d6a3fb6333f87fb5163ab7f4cd27618d0f90afa102c
                                            • Opcode Fuzzy Hash: 4a89f5bfa77d2963e7064c5d9b1d87c56d1866d4b2b48ba96d2afc074a8c8728
                                            • Instruction Fuzzy Hash: 9F116472C00248DFDB24CFA9C944BEEBBF5AF48310F24881AE915A7650C7399510CBA0
                                            Function 0256D128 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0256D9F9,00000800,00000000,00000000), ref: 0256DC0A
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401629332.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2560000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: ee5ebe273b900f74b564bcc61e00a51956b8af67e4b095678fa97924c69e9fbe
                                            • Instruction ID: 26e4f152a2d83c1dca5e60c08b55d118e806f369449f0880d93e425cda5c5633
                                            • Opcode Fuzzy Hash: ee5ebe273b900f74b564bcc61e00a51956b8af67e4b095678fa97924c69e9fbe
                                            • Instruction Fuzzy Hash: C811F4B69002499FDB20CF9AD544BAEFBF4EB48210F10842AE819A7210C375A545CFA9
                                            Function 02713128 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02713196
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401969741.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2710000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: a89ba3e9488c356dcea21ad4babe21afcec46cda57f28340888ec33cf0195191
                                            • Instruction ID: 7f04f3726798193f2548f1db98c8c4a9ec42775d47e851dbaaedb332ee45ba6a
                                            • Opcode Fuzzy Hash: a89ba3e9488c356dcea21ad4babe21afcec46cda57f28340888ec33cf0195191
                                            • Instruction Fuzzy Hash: 78112672900349DFDB24DFAAC844BDFBBF5EF48310F14841AE915A7250CB759540DBA5
                                            Function 0256DB9B Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0256D9F9,00000800,00000000,00000000), ref: 0256DC0A
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401629332.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2560000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: fdba9163b41dd49d3c0c5cef2a0b8ec2995400604c7da9de6265a1fb53df58d3
                                            • Instruction ID: c0fdec012042f19dbc625878ae4d883ac0379f893f3f85a64c1a0da225089eaf
                                            • Opcode Fuzzy Hash: fdba9163b41dd49d3c0c5cef2a0b8ec2995400604c7da9de6265a1fb53df58d3
                                            • Instruction Fuzzy Hash: 6E1100BAD00209CFEB14CF9AD584BDEFBF5AB88350F14852AD819A7210C379A545CFA4
                                            Function 02712730 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401969741.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2710000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: a2cf8b07c6e19533f8bf1eaf98cdd3f19cd340c6eb568d58535403dfb08e5b48
                                            • Instruction ID: dbb74fcfce32e0f5240ead91fed932926a3d7246403f16a68999b69bf7fa553c
                                            • Opcode Fuzzy Hash: a2cf8b07c6e19533f8bf1eaf98cdd3f19cd340c6eb568d58535403dfb08e5b48
                                            • Instruction Fuzzy Hash: D2112571D003498FDB24DFAAC4447EFFBF4EF88224F24842AD519A7240CB79A940CBA5
                                            Function 02712728 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401969741.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2710000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: ab37a08a5a90b17a2374450dfede50badd83fbe1111765b08d88f00cdcbbdb91
                                            • Instruction ID: ec549bcb053d4498e3f3616301b0b3581b9a6c2f91a0c2244b3d0135823bc15a
                                            • Opcode Fuzzy Hash: ab37a08a5a90b17a2374450dfede50badd83fbe1111765b08d88f00cdcbbdb91
                                            • Instruction Fuzzy Hash: 6E1146B5D00348CFDB24CFAAC5447AEBBF4AF48224F24841AD519A7640CB39A940CBA4
                                            Function 02714CAC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 02716B25
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401969741.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2710000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: a6545a27d83d3fad4f693a2f7c98dbc9ca85c95485e835b0657814cacd5e485d
                                            • Instruction ID: 9873dfdf55da3480f3e7d1b280d0c0d8e9ce5914e422e935fc18172d66d4d5ef
                                            • Opcode Fuzzy Hash: a6545a27d83d3fad4f693a2f7c98dbc9ca85c95485e835b0657814cacd5e485d
                                            • Instruction Fuzzy Hash: 1E11F2B5800348DFDB20CF9AD584BDEBBF8EB48320F20841AE918A7740C375A944CFA5
                                            Function 0256D918 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0256D97E
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401629332.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2560000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 877abc71101dd508491d2c991923d23d1a852a038038ca8741eee672b5694b9b
                                            • Instruction ID: b4eeedd2a02c677533bcdc55cb51b9698eed0cda7313316c7f5c115c8f36c103
                                            • Opcode Fuzzy Hash: 877abc71101dd508491d2c991923d23d1a852a038038ca8741eee672b5694b9b
                                            • Instruction Fuzzy Hash: 77110FB6D01249CFDB20CF9AD444BDEFBF4EB88214F10841AD868A7210C379A545CFA5
                                            Function 02716AC1 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 02716B25
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401969741.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2710000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: b168cef9da791e566ce06cc81129ec5eb1c8953019d2e30cabd042e6d26ab3eb
                                            • Instruction ID: f1db6bd4b012b7941ceb2cc5d422c5876c75888ceedf8aaf26528a001f6b5fdd
                                            • Opcode Fuzzy Hash: b168cef9da791e566ce06cc81129ec5eb1c8953019d2e30cabd042e6d26ab3eb
                                            • Instruction Fuzzy Hash: 741100B6900249DFDB20CF9AD585BDEFBF8EF48314F20841AE558A7610C375A944CFA1
                                            Function 00ADD0DC Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401298200.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_add000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f36f2f590048ec1d6ca72224d8a00e6a872078c1f9a91daaf133e7c6d22b936f
                                            • Instruction ID: 1e2b139af33577ba825b29a27c259090a065b8aa72d658a1294c0afaaaa021f9
                                            • Opcode Fuzzy Hash: f36f2f590048ec1d6ca72224d8a00e6a872078c1f9a91daaf133e7c6d22b936f
                                            • Instruction Fuzzy Hash: 1321A475504344EFDB14DF24D9C4B26BB65FB84314F24C66EE90A4F396C33AD846CA62
                                            Function 00ADD294 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401298200.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_add000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b68096bcb00bb98c75f64d98462dc1be1cd7b33a9dae0d8ab9dfde3b178bf88e
                                            • Instruction ID: 58c10a57db79ffbf1f7d3619fc8e34661e808dc14b589181ac5715af62bae7fd
                                            • Opcode Fuzzy Hash: b68096bcb00bb98c75f64d98462dc1be1cd7b33a9dae0d8ab9dfde3b178bf88e
                                            • Instruction Fuzzy Hash: 7821D475604304EFDB14DF24D9C0B26BBA5FB84314F24C56EE84A4F392C33AD846CA62
                                            Function 00ADD28F Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.1401298200.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_add000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                            • Instruction ID: a90d3edc617aa034d6fcc02b8098aa50f0545fdec098e099f2671c82a23c9b89
                                            • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                            • Instruction Fuzzy Hash: B6118B75504280DFDB15CF10D5C4B15BFA1FB84314F24C6AAD84A4F796C33AD84ACB62

                                            Execution Graph

                                            Execution Coverage:11.6%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:19
                                            Total number of Limit Nodes:5
                                            execution_graph 28202 13e0848 28203 13e084e 28202->28203 28204 13e091b 28203->28204 28206 13e137f 28203->28206 28207 13e1371 28206->28207 28208 13e1379 28206->28208 28207->28203 28208->28207 28210 13e7ea8 28208->28210 28211 13e7eb2 28210->28211 28212 13e7ecc 28211->28212 28215 6b2fa38 28211->28215 28220 6b2fa28 28211->28220 28212->28208 28217 6b2fa4d 28215->28217 28216 6b2fc62 28216->28212 28217->28216 28218 6b2fc88 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28217->28218 28219 6b2fc78 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28217->28219 28218->28217 28219->28217 28221 6b2fa4d 28220->28221 28222 6b2fc62 28221->28222 28223 6b2fc88 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28221->28223 28224 6b2fc78 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28221->28224 28222->28212 28223->28221 28224->28221

                                            Executed Functions

                                            Function 06B22350 Relevance: 9.0, Strings: 6, Instructions: 1476COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q$$q$$q
                                            • API String ID: 0-2069967915
                                            • Opcode ID: 890fc076f6be809bad0998954a7530c04cde1f39492d77432dafa0b6caeebde0
                                            • Instruction ID: 81edf01e060bb17bb81c75595491624f9eaef52c014739d792037ad9753d1322
                                            • Opcode Fuzzy Hash: 890fc076f6be809bad0998954a7530c04cde1f39492d77432dafa0b6caeebde0
                                            • Instruction Fuzzy Hash: 49D25974E00215CFDB64DF68C584A9DB7F2FF89310F5485A9E40AAB265DB34ED85CB80
                                            Function 06B2B230 Relevance: 8.3, Strings: 6, Instructions: 763COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q$$q$$q
                                            • API String ID: 0-2069967915
                                            • Opcode ID: 1aa82b55a31e0b55ba3afafe1a2edb6875da82fd9a9bd8e6d63386cb0e419b08
                                            • Instruction ID: 64937d3ad3aa0912d3e19cc26a8457c66d3c38885620a59a295b63166dadd15e
                                            • Opcode Fuzzy Hash: 1aa82b55a31e0b55ba3afafe1a2edb6875da82fd9a9bd8e6d63386cb0e419b08
                                            • Instruction Fuzzy Hash: 1E528EB0E1021A8BEF64CB68D4947ADB7F2FB45314F2494A9E409EB355DE34DC81CB91
                                            Function 06B27D78 Relevance: 3.0, Strings: 2, Instructions: 470COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1840 6b27d78-6b27d96 1841 6b27d98-6b27d9b 1840->1841 1842 6b27da8-6b27dab 1841->1842 1843 6b27d9d-6b27da7 1841->1843 1844 6b27dc2-6b27dc5 1842->1844 1845 6b27dad-6b27dbb 1842->1845 1846 6b27dc7-6b27de3 1844->1846 1847 6b27de8-6b27deb 1844->1847 1854 6b27e1e-6b27e34 1845->1854 1855 6b27dbd 1845->1855 1846->1847 1848 6b27e0c-6b27e0e 1847->1848 1849 6b27ded-6b27e07 1847->1849 1852 6b27e10 1848->1852 1853 6b27e15-6b27e18 1848->1853 1849->1848 1852->1853 1853->1841 1853->1854 1859 6b27e3a-6b27e43 1854->1859 1860 6b2804f-6b28059 1854->1860 1855->1844 1862 6b2805a-6b2808f 1859->1862 1863 6b27e49-6b27e66 1859->1863 1866 6b28091-6b28094 1862->1866 1872 6b2803c-6b28049 1863->1872 1873 6b27e6c-6b27e94 1863->1873 1868 6b28096-6b280b2 1866->1868 1869 6b280b7-6b280ba 1866->1869 1868->1869 1870 6b280c0-6b280cf 1869->1870 1871 6b282ef-6b282f2 1869->1871 1882 6b280d1-6b280ec 1870->1882 1883 6b280ee-6b28132 1870->1883 1875 6b282f8-6b28304 1871->1875 1876 6b2839d-6b2839f 1871->1876 1872->1859 1872->1860 1873->1872 1895 6b27e9a-6b27ea3 1873->1895 1881 6b2830f-6b28311 1875->1881 1878 6b283a1 1876->1878 1879 6b283a6-6b283a9 1876->1879 1878->1879 1879->1866 1884 6b283af-6b283b8 1879->1884 1886 6b28313-6b28319 1881->1886 1887 6b28329-6b2832d 1881->1887 1882->1883 1897 6b282c3-6b282d9 1883->1897 1898 6b28138-6b28149 1883->1898 1889 6b2831b 1886->1889 1890 6b2831d-6b2831f 1886->1890 1891 6b2833b 1887->1891 1892 6b2832f-6b28339 1887->1892 1889->1887 1890->1887 1896 6b28340-6b28342 1891->1896 1892->1896 1895->1862 1899 6b27ea9-6b27ec5 1895->1899 1901 6b28353-6b2838c 1896->1901 1902 6b28344-6b28347 1896->1902 1897->1871 1910 6b282ae-6b282bd 1898->1910 1911 6b2814f-6b2816c 1898->1911 1906 6b2802a-6b28036 1899->1906 1907 6b27ecb-6b27ef5 1899->1907 1901->1870 1922 6b28392-6b2839c 1901->1922 1902->1884 1906->1872 1906->1895 1924 6b28020-6b28025 1907->1924 1925 6b27efb-6b27f23 1907->1925 1910->1897 1910->1898 1911->1910 1919 6b28172-6b28268 call 6b26590 1911->1919 1973 6b28276 1919->1973 1974 6b2826a-6b28274 1919->1974 1924->1906 1925->1924 1931 6b27f29-6b27f57 1925->1931 1931->1924 1936 6b27f5d-6b27f66 1931->1936 1936->1924 1938 6b27f6c-6b27f9e 1936->1938 1946 6b27fa0-6b27fa4 1938->1946 1947 6b27fa9-6b27fc5 1938->1947 1946->1924 1948 6b27fa6 1946->1948 1947->1906 1949 6b27fc7-6b2801e call 6b26590 1947->1949 1948->1947 1949->1906 1975 6b2827b-6b2827d 1973->1975 1974->1975 1975->1910 1976 6b2827f-6b28284 1975->1976 1977 6b28292 1976->1977 1978 6b28286-6b28290 1976->1978 1979 6b28297-6b28299 1977->1979 1978->1979 1979->1910 1980 6b2829b-6b282a7 1979->1980 1980->1910
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q
                                            • API String ID: 0-3126353813
                                            • Opcode ID: f577b6d9f634f24f2611a1d4905d24475acedfd2615450d9d6af17dbdba2901b
                                            • Instruction ID: 84fa8d1b6e8fb33f2d4ad47db43214b44b7e7314bbf7b526c87520bfa1f123bc
                                            • Opcode Fuzzy Hash: f577b6d9f634f24f2611a1d4905d24475acedfd2615450d9d6af17dbdba2901b
                                            • Instruction Fuzzy Hash: 18027F70B002168FDB54DF68D854BAEB7E2FF84310F248569E9099B794DB35EC46CB90
                                            Function 06B25580 Relevance: 1.8, Strings: 1, Instructions: 595COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2049 6b25580-6b2559d 2050 6b2559f-6b255a2 2049->2050 2051 6b255e0-6b255e3 2050->2051 2052 6b255a4-6b255ad 2050->2052 2055 6b255e5-6b255e8 2051->2055 2056 6b255ea-6b255f0 2051->2056 2053 6b255b3-6b255bb 2052->2053 2054 6b2576a-6b25793 2052->2054 2053->2054 2059 6b255c1-6b255d1 2053->2059 2071 6b2579d-6b257a0 2054->2071 2055->2056 2060 6b255fb-6b255fe 2055->2060 2057 6b25683-6b2568d 2056->2057 2058 6b255f6 2056->2058 2067 6b25694-6b25696 2057->2067 2058->2060 2059->2054 2064 6b255d7-6b255db 2059->2064 2061 6b25600-6b25603 2060->2061 2062 6b25608-6b2560b 2060->2062 2061->2062 2065 6b25617-6b2561a 2062->2065 2066 6b2560d-6b25616 2062->2066 2064->2051 2068 6b2562b-6b2562e 2065->2068 2069 6b2561c-6b25620 2065->2069 2070 6b2569b-6b2569e 2067->2070 2074 6b25630-6b25637 2068->2074 2075 6b2563e-6b25641 2068->2075 2072 6b25626 2069->2072 2073 6b2575c-6b25769 2069->2073 2076 6b256b2-6b256b5 2070->2076 2077 6b256a0-6b256ad 2070->2077 2078 6b257c2-6b257c5 2071->2078 2079 6b257a2-6b257a6 2071->2079 2072->2068 2074->2061 2080 6b25639 2074->2080 2083 6b25643-6b25652 2075->2083 2084 6b25657-6b2565a 2075->2084 2085 6b256b7-6b256ba 2076->2085 2086 6b256bf-6b256c2 2076->2086 2077->2076 2087 6b257c7-6b257ce 2078->2087 2088 6b257d9-6b257dc 2078->2088 2081 6b2588e-6b25898 2079->2081 2082 6b257ac-6b257b4 2079->2082 2080->2075 2115 6b258c3-6b258cd 2081->2115 2116 6b2589a-6b258c1 2081->2116 2082->2081 2094 6b257ba-6b257bd 2082->2094 2083->2084 2089 6b25664-6b25667 2084->2089 2090 6b2565c-6b2565f 2084->2090 2085->2086 2095 6b256c4-6b256da 2086->2095 2096 6b256df-6b256e2 2086->2096 2097 6b25886-6b2588d 2087->2097 2098 6b257d4 2087->2098 2091 6b257e6-6b257e9 2088->2091 2092 6b257de-6b257e5 2088->2092 2099 6b25675-6b25678 2089->2099 2100 6b25669-6b25670 2089->2100 2090->2089 2101 6b2580b-6b2580e 2091->2101 2102 6b257eb-6b257ef 2091->2102 2094->2078 2095->2096 2103 6b256e4-6b256f6 2096->2103 2104 6b256fb-6b256fe 2096->2104 2098->2088 2108 6b25736-6b2573f 2099->2108 2109 6b2567e-6b25681 2099->2109 2100->2099 2111 6b25810-6b25814 2101->2111 2112 6b25828-6b2582b 2101->2112 2102->2081 2110 6b257f5-6b257fd 2102->2110 2103->2104 2113 6b25700-6b2571f 2104->2113 2114 6b25724-6b25727 2104->2114 2108->2052 2117 6b25745 2108->2117 2109->2057 2109->2070 2110->2081 2118 6b25803-6b25806 2110->2118 2111->2081 2120 6b25816-6b2581e 2111->2120 2121 6b2583c-6b2583f 2112->2121 2122 6b2582d-6b25837 2112->2122 2113->2114 2123 6b25731-6b25734 2114->2123 2124 6b25729-6b2572e 2114->2124 2125 6b258ce-6b258d1 2115->2125 2116->2115 2128 6b2574a-6b2574c 2117->2128 2118->2101 2120->2081 2129 6b25820-6b25823 2120->2129 2131 6b25841-6b25852 2121->2131 2132 6b25857-6b2585a 2121->2132 2122->2121 2123->2108 2123->2128 2124->2123 2126 6b258d3-6b258e6 2125->2126 2127 6b258e9-6b258ec 2125->2127 2137 6b2590a-6b2590d 2127->2137 2138 6b258ee-6b258ff 2127->2138 2133 6b25753-6b25756 2128->2133 2134 6b2574e 2128->2134 2129->2112 2131->2132 2135 6b25874-6b25876 2132->2135 2136 6b2585c-6b25860 2132->2136 2133->2050 2133->2073 2134->2133 2143 6b25878 2135->2143 2144 6b2587d-6b25880 2135->2144 2136->2081 2142 6b25862-6b2586a 2136->2142 2145 6b2592b-6b2592e 2137->2145 2146 6b2590f-6b25920 2137->2146 2154 6b25905 2138->2154 2155 6b25c4b-6b25c52 2138->2155 2142->2081 2148 6b2586c-6b2586f 2142->2148 2143->2144 2144->2071 2144->2097 2150 6b25930-6b25941 2145->2150 2151 6b25948-6b2594b 2145->2151 2161 6b25926 2146->2161 2162 6b25c65-6b25c76 2146->2162 2148->2135 2150->2126 2163 6b25943 2150->2163 2152 6b25955-6b25958 2151->2152 2153 6b2594d-6b25952 2151->2153 2159 6b25963-6b25af7 2152->2159 2160 6b2595a-6b2595d 2152->2160 2153->2152 2154->2137 2158 6b25c57-6b25c5a 2155->2158 2158->2159 2164 6b25c60-6b25c63 2158->2164 2200 6b25c30-6b25c43 2159->2200 2201 6b25afd-6b25b04 2159->2201 2160->2159 2165 6b25c46-6b25c49 2160->2165 2161->2145 2162->2155 2169 6b25c78 2162->2169 2163->2151 2164->2162 2166 6b25c7d-6b25c80 2164->2166 2165->2155 2165->2158 2170 6b25c82-6b25c89 2166->2170 2171 6b25c8e-6b25c91 2166->2171 2169->2166 2170->2171 2173 6b25c93-6b25ca4 2171->2173 2174 6b25cab-6b25cad 2171->2174 2173->2155 2180 6b25ca6 2173->2180 2175 6b25cb4-6b25cb7 2174->2175 2176 6b25caf 2174->2176 2175->2125 2177 6b25cbd-6b25cc6 2175->2177 2176->2175 2180->2174 2202 6b25b0a-6b25b3d 2201->2202 2203 6b25bb8-6b25bbf 2201->2203 2214 6b25b42-6b25b83 2202->2214 2215 6b25b3f 2202->2215 2203->2200 2205 6b25bc1-6b25bf4 2203->2205 2216 6b25bf6 2205->2216 2217 6b25bf9-6b25c26 2205->2217 2225 6b25b85-6b25b96 2214->2225 2226 6b25b9b-6b25ba2 2214->2226 2215->2214 2216->2217 2217->2177 2225->2177 2228 6b25baa-6b25bac 2226->2228 2228->2177
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $
                                            • API String ID: 0-3993045852
                                            • Opcode ID: a3183c506a0c1959382c6b5cc8ff21ee9a1d79a06a435356b5dd30f5bb736fbf
                                            • Instruction ID: 7c944c089ee1f082c76efd38249d75ababddd4c2a3652176e370caabd58cbd99
                                            • Opcode Fuzzy Hash: a3183c506a0c1959382c6b5cc8ff21ee9a1d79a06a435356b5dd30f5bb736fbf
                                            • Instruction Fuzzy Hash: E322C4B6E102158FDF74DBA4C4807AEBBF2EF85320F2485A9D519AB354DA35DC41CB90
                                            Function 06B265E0 Relevance: .8, Instructions: 810COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d169031a3ff1d2d8078eb8b43cc6f0964e2967e06a79b8255e8fe04abb281533
                                            • Instruction ID: 6c5dcf2807e19abefe785a6f1c2ea6da1f6b1823e5841fbbdf17f172b4d365c0
                                            • Opcode Fuzzy Hash: d169031a3ff1d2d8078eb8b43cc6f0964e2967e06a79b8255e8fe04abb281533
                                            • Instruction Fuzzy Hash: 1A627074A102158FDB54DF68D594BADB7F2EF88310F1485A9E40AEB394EB35EC46CB80
                                            Function 06B2C178 Relevance: .6, Instructions: 633COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9d072a4b16c06b97e2b6ee07382ec192bdb5d7993bfe0431bffcd5d8535b95ab
                                            • Instruction ID: bc65843f95524d5042fdd46da5212835f429946b71a4bc122ecab76f01b2c59d
                                            • Opcode Fuzzy Hash: 9d072a4b16c06b97e2b6ee07382ec192bdb5d7993bfe0431bffcd5d8535b95ab
                                            • Instruction Fuzzy Hash: CE3262B4A002158FDB94DF68D490BADBBF2FB88310F108569E509EB395DB35DC41CB91
                                            Function 06B2ACC8 Relevance: 10.4, Strings: 8, Instructions: 390COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 6b2acc8-6b2ace6 1 6b2ace8-6b2aceb 0->1 2 6b2acf1-6b2acf4 1->2 3 6b2aee5-6b2aeee 1->3 6 6b2acf6-6b2acfb 2->6 7 6b2acfe-6b2ad01 2->7 4 6b2ad84-6b2ad8d 3->4 5 6b2aef4-6b2aefe 3->5 10 6b2ad93-6b2ad97 4->10 11 6b2aeff-6b2af10 4->11 6->7 8 6b2ad03-6b2ad1f 7->8 9 6b2ad24-6b2ad27 7->9 8->9 13 6b2ad41-6b2ad44 9->13 14 6b2ad29-6b2ad3c 9->14 12 6b2ad9c-6b2ad9e 10->12 21 6b2aed2-6b2aedb 11->21 22 6b2af13-6b2af36 11->22 17 6b2ada0 12->17 18 6b2ada5-6b2ada8 12->18 19 6b2ad46-6b2ad4a 13->19 20 6b2ad55-6b2ad58 13->20 14->13 17->18 18->1 23 6b2adae-6b2add2 18->23 19->5 25 6b2ad50 19->25 26 6b2ad5a-6b2ad63 20->26 27 6b2ad68-6b2ad6b 20->27 37 6b2aee2 21->37 29 6b2af38-6b2af3b 22->29 23->37 50 6b2add8-6b2ade7 23->50 25->20 26->27 30 6b2ad7f-6b2ad82 27->30 31 6b2ad6d-6b2ad7a 27->31 33 6b2af41-6b2af7c 29->33 34 6b2b1a4-6b2b1a7 29->34 30->4 30->12 31->30 48 6b2af82-6b2af8e 33->48 49 6b2b16f-6b2b182 33->49 38 6b2b1b6-6b2b1b9 34->38 39 6b2b1a9 34->39 37->3 40 6b2b1ca-6b2b1cd 38->40 41 6b2b1bb-6b2b1bf 38->41 126 6b2b1a9 call 6b2b230 39->126 127 6b2b1a9 call 6b2b21f 39->127 46 6b2b1f0-6b2b1f3 40->46 47 6b2b1cf-6b2b1eb 40->47 41->33 45 6b2b1c5 41->45 44 6b2b1af-6b2b1b1 44->38 45->40 51 6b2b200-6b2b202 46->51 52 6b2b1f5-6b2b1ff 46->52 47->46 62 6b2af90-6b2afa9 48->62 63 6b2afae-6b2aff2 48->63 53 6b2b184 49->53 59 6b2ade9-6b2adef 50->59 60 6b2adff-6b2ae3a call 6b26590 50->60 56 6b2b204 51->56 57 6b2b209-6b2b20c 51->57 61 6b2b185 53->61 56->57 57->29 64 6b2b212-6b2b21c 57->64 65 6b2adf3-6b2adf5 59->65 66 6b2adf1 59->66 81 6b2ae52-6b2ae69 60->81 82 6b2ae3c-6b2ae42 60->82 61->61 62->53 79 6b2aff4-6b2b006 63->79 80 6b2b00e-6b2b04d 63->80 65->60 66->60 79->80 88 6b2b053-6b2b12e call 6b26590 80->88 89 6b2b134-6b2b149 80->89 93 6b2ae81-6b2ae92 81->93 94 6b2ae6b-6b2ae71 81->94 83 6b2ae46-6b2ae48 82->83 84 6b2ae44 82->84 83->81 84->81 88->89 89->49 101 6b2ae94-6b2ae9a 93->101 102 6b2aeaa-6b2aecf 93->102 96 6b2ae73 94->96 97 6b2ae75-6b2ae77 94->97 96->93 97->93 104 6b2ae9e-6b2aea0 101->104 105 6b2ae9c 101->105 102->21 104->102 105->102 126->44 127->44
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q$$q$$q$$q$$q
                                            • API String ID: 0-3886557441
                                            • Opcode ID: 8ec099cf9d5a32cabbcfb52c92aeca45bf6e4d58ecd0441018ff7d87374a411d
                                            • Instruction ID: fa73784fcb624bde08bec44a16d7be25c25fe248841a3ca094533569e04f6380
                                            • Opcode Fuzzy Hash: 8ec099cf9d5a32cabbcfb52c92aeca45bf6e4d58ecd0441018ff7d87374a411d
                                            • Instruction Fuzzy Hash: 9AE15E70E1032A8BDF64DF68D8906AEB7F2FF84300F248569E409AB254DB74DC46CB81
                                            Function 06B29148 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 861 6b29148-6b2916d 862 6b2916f-6b29172 861->862 863 6b29174-6b29193 862->863 864 6b29198-6b2919b 862->864 863->864 865 6b291a1-6b291b6 864->865 866 6b29a5b-6b29a5d 864->866 872 6b291b8-6b291be 865->872 873 6b291ce-6b291e4 865->873 868 6b29a64-6b29a67 866->868 869 6b29a5f 866->869 868->862 871 6b29a6d-6b29a77 868->871 869->868 875 6b291c2-6b291c4 872->875 876 6b291c0 872->876 878 6b291ef-6b291f1 873->878 875->873 876->873 879 6b291f3-6b291f9 878->879 880 6b29209-6b2927a 878->880 881 6b291fb 879->881 882 6b291fd-6b291ff 879->882 891 6b292a6-6b292c2 880->891 892 6b2927c-6b2929f 880->892 881->880 882->880 897 6b292c4-6b292e7 891->897 898 6b292ee-6b29309 891->898 892->891 897->898 903 6b29334-6b2934f 898->903 904 6b2930b-6b2932d 898->904 909 6b29351-6b29373 903->909 910 6b2937a-6b29384 903->910 904->903 909->910 911 6b29386-6b2938f 910->911 912 6b29394-6b2940e 910->912 911->871 918 6b29410-6b2942e 912->918 919 6b2945b-6b29470 912->919 923 6b29430-6b2943f 918->923 924 6b2944a-6b29459 918->924 919->866 923->924 924->918 924->919
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q
                                            • API String ID: 0-4102054182
                                            • Opcode ID: 40f5f6e08a862b34e5de044d5196668c7ea3a449d3baaad1799b8e7e98293a22
                                            • Instruction ID: 503b5ae4b15e6f155e64f9ceb98a005426dd5404b7bf423200bae68b0c3730a7
                                            • Opcode Fuzzy Hash: 40f5f6e08a862b34e5de044d5196668c7ea3a449d3baaad1799b8e7e98293a22
                                            • Instruction Fuzzy Hash: A7915270B0031A8BDB54DF69C8507AEB7E6FF89300F109569D90EAB748EA34DD42CB91
                                            Function 06B2CF40 Relevance: 4.6, Strings: 3, Instructions: 803COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 927 6b2cf40-6b2cf5b 928 6b2cf5d-6b2cf60 927->928 929 6b2cf62-6b2cf71 928->929 930 6b2cfa9-6b2cfac 928->930 933 6b2cf73-6b2cf78 929->933 934 6b2cf80-6b2cf8c 929->934 931 6b2cfb2-6b2cfb5 930->931 932 6b2d42c-6b2d438 930->932 935 6b2cfb7-6b2cff9 931->935 936 6b2cffe-6b2d001 931->936 937 6b2d28e-6b2d29d 932->937 938 6b2d43e-6b2d72b 932->938 933->934 939 6b2cf92-6b2cfa4 934->939 940 6b2d95d-6b2d996 934->940 935->936 941 6b2d003-6b2d01f 936->941 942 6b2d024-6b2d027 936->942 943 6b2d29f-6b2d2a4 937->943 944 6b2d2ac-6b2d2b8 937->944 1140 6b2d952-6b2d95c 938->1140 1141 6b2d731-6b2d737 938->1141 939->930 955 6b2d998-6b2d99b 940->955 941->942 946 6b2d031-6b2d034 942->946 947 6b2d029-6b2d02e 942->947 943->944 944->940 949 6b2d2be-6b2d2d0 944->949 953 6b2d036-6b2d078 946->953 954 6b2d07d-6b2d080 946->954 947->946 971 6b2d2d5-6b2d2d7 949->971 953->954 959 6b2d082-6b2d084 954->959 960 6b2d08f-6b2d092 954->960 956 6b2d9be-6b2d9c1 955->956 957 6b2d99d-6b2d9b9 955->957 966 6b2d9c3-6b2d9ef 956->966 967 6b2d9f4-6b2d9f7 956->967 957->956 964 6b2d08a 959->964 965 6b2d429 959->965 968 6b2d094-6b2d0d6 960->968 969 6b2d0db-6b2d0de 960->969 964->960 965->932 966->967 978 6b2da06-6b2da08 967->978 979 6b2d9f9 967->979 968->969 976 6b2d0e0-6b2d122 969->976 977 6b2d127-6b2d12a 969->977 972 6b2d2d9 971->972 973 6b2d2de-6b2d2e1 971->973 972->973 973->928 981 6b2d2e7-6b2d2f0 973->981 976->977 986 6b2d147-6b2d14a 977->986 987 6b2d12c-6b2d142 977->987 983 6b2da0a 978->983 984 6b2da0f-6b2da12 978->984 1187 6b2d9f9 call 6b2dab5 979->1187 1188 6b2d9f9 call 6b2dac8 979->1188 988 6b2d2f2-6b2d2f7 981->988 989 6b2d2ff-6b2d30b 981->989 983->984 984->955 997 6b2da14-6b2da23 984->997 993 6b2d193-6b2d196 986->993 994 6b2d14c-6b2d18e 986->994 987->986 988->989 1002 6b2d311-6b2d325 989->1002 1003 6b2d41c-6b2d421 989->1003 998 6b2d198-6b2d1da 993->998 999 6b2d1df-6b2d1e2 993->999 994->993 995 6b2d9ff-6b2da01 995->978 1017 6b2da25-6b2da88 call 6b26590 997->1017 1018 6b2da8a-6b2da9f 997->1018 998->999 1007 6b2d1f1-6b2d1f4 999->1007 1008 6b2d1e4-6b2d1e6 999->1008 1002->965 1026 6b2d32b-6b2d33d 1002->1026 1003->965 1014 6b2d1f6-6b2d238 1007->1014 1015 6b2d23d-6b2d240 1007->1015 1008->981 1013 6b2d1ec 1008->1013 1013->1007 1014->1015 1028 6b2d242-6b2d284 1015->1028 1029 6b2d289-6b2d28c 1015->1029 1017->1018 1035 6b2daa0 1018->1035 1046 6b2d361-6b2d363 1026->1046 1047 6b2d33f-6b2d345 1026->1047 1028->1029 1029->937 1029->971 1035->1035 1049 6b2d36d-6b2d379 1046->1049 1052 6b2d347 1047->1052 1053 6b2d349-6b2d355 1047->1053 1065 6b2d387 1049->1065 1066 6b2d37b-6b2d385 1049->1066 1058 6b2d357-6b2d35f 1052->1058 1053->1058 1058->1049 1071 6b2d38c-6b2d38e 1065->1071 1066->1071 1071->965 1073 6b2d394-6b2d3b0 call 6b26590 1071->1073 1084 6b2d3b2-6b2d3b7 1073->1084 1085 6b2d3bf-6b2d3cb 1073->1085 1084->1085 1085->1003 1088 6b2d3cd-6b2d41a 1085->1088 1088->965 1142 6b2d746-6b2d74f 1141->1142 1143 6b2d739-6b2d73e 1141->1143 1142->940 1144 6b2d755-6b2d768 1142->1144 1143->1142 1146 6b2d942-6b2d94c 1144->1146 1147 6b2d76e-6b2d774 1144->1147 1146->1140 1146->1141 1148 6b2d783-6b2d78c 1147->1148 1149 6b2d776-6b2d77b 1147->1149 1148->940 1150 6b2d792-6b2d7b3 1148->1150 1149->1148 1153 6b2d7c2-6b2d7cb 1150->1153 1154 6b2d7b5-6b2d7ba 1150->1154 1153->940 1155 6b2d7d1-6b2d7ee 1153->1155 1154->1153 1155->1146 1158 6b2d7f4-6b2d7fa 1155->1158 1158->940 1159 6b2d800-6b2d819 1158->1159 1161 6b2d935-6b2d93c 1159->1161 1162 6b2d81f-6b2d846 1159->1162 1161->1146 1161->1158 1162->940 1165 6b2d84c-6b2d856 1162->1165 1165->940 1166 6b2d85c-6b2d873 1165->1166 1168 6b2d882-6b2d89d 1166->1168 1169 6b2d875-6b2d880 1166->1169 1168->1161 1174 6b2d8a3-6b2d8bc call 6b26590 1168->1174 1169->1168 1178 6b2d8cb-6b2d8d4 1174->1178 1179 6b2d8be-6b2d8c3 1174->1179 1178->940 1180 6b2d8da-6b2d92e 1178->1180 1179->1178 1180->1161 1187->995 1188->995
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q
                                            • API String ID: 0-3067366958
                                            • Opcode ID: 93efbdd4b4e65bb9eff47b498e37c0a4992e8308daae57e3339b0916d92f8179
                                            • Instruction ID: a72013ff249560487f6988d793e30d9fcb94a063b07eca1b8f94f0f586d428c8
                                            • Opcode Fuzzy Hash: 93efbdd4b4e65bb9eff47b498e37c0a4992e8308daae57e3339b0916d92f8179
                                            • Instruction Fuzzy Hash: 0C622C74A002168FDB65EF68D590A9DB7E2FF84300F248A78E4099F355DB75EC86CB81
                                            Function 06B29137 Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1982 6b29137-6b2916d 1984 6b2916f-6b29172 1982->1984 1985 6b29174-6b29193 1984->1985 1986 6b29198-6b2919b 1984->1986 1985->1986 1987 6b291a1-6b291b6 1986->1987 1988 6b29a5b-6b29a5d 1986->1988 1994 6b291b8-6b291be 1987->1994 1995 6b291ce-6b291e4 1987->1995 1990 6b29a64-6b29a67 1988->1990 1991 6b29a5f 1988->1991 1990->1984 1993 6b29a6d-6b29a77 1990->1993 1991->1990 1997 6b291c2-6b291c4 1994->1997 1998 6b291c0 1994->1998 2000 6b291ef-6b291f1 1995->2000 1997->1995 1998->1995 2001 6b291f3-6b291f9 2000->2001 2002 6b29209-6b2927a 2000->2002 2003 6b291fb 2001->2003 2004 6b291fd-6b291ff 2001->2004 2013 6b292a6-6b292c2 2002->2013 2014 6b2927c-6b2929f 2002->2014 2003->2002 2004->2002 2019 6b292c4-6b292e7 2013->2019 2020 6b292ee-6b29309 2013->2020 2014->2013 2019->2020 2025 6b29334-6b2934f 2020->2025 2026 6b2930b-6b2932d 2020->2026 2031 6b29351-6b29373 2025->2031 2032 6b2937a-6b29384 2025->2032 2026->2025 2031->2032 2033 6b29386-6b2938f 2032->2033 2034 6b29394-6b2940e 2032->2034 2033->1993 2040 6b29410-6b2942e 2034->2040 2041 6b2945b-6b29470 2034->2041 2045 6b29430-6b2943f 2040->2045 2046 6b2944a-6b29459 2040->2046 2041->1988 2045->2046 2046->2040 2046->2041
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q
                                            • API String ID: 0-3126353813
                                            • Opcode ID: 98838362571f8254ca0c05699919589791a5f48a800b1d100024e4b358250107
                                            • Instruction ID: 1497f2bd2291c1128394a9cf6a4f9b7a60496b668305a4c0d11dadf68283b07e
                                            • Opcode Fuzzy Hash: 98838362571f8254ca0c05699919589791a5f48a800b1d100024e4b358250107
                                            • Instruction Fuzzy Hash: 64516370B002168FDB54DF69D850BAEB7E6EB89340F109579D90EEB748EA34DC42CB91
                                            Function 013EEB50 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2229 13eeb50-13eeb5b 2230 13eeb5d-13eeb84 2229->2230 2231 13eeb85-13eeb9b 2229->2231 2251 13eeb9d call 13eeb50 2231->2251 2252 13eeb9d call 13eeb40 2231->2252 2253 13eeb9d call 13eebe0 2231->2253 2234 13eeba2-13eeba4 2235 13eebaa-13eec09 2234->2235 2236 13eeba6-13eeba9 2234->2236 2243 13eec0f-13eec9c GlobalMemoryStatusEx 2235->2243 2244 13eec0b-13eec0e 2235->2244 2247 13eec9e-13eeca4 2243->2247 2248 13eeca5-13eeccd 2243->2248 2247->2248 2251->2234 2252->2234 2253->2234
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2527380341.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_13e0000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7aeb626580dc991cb2f0eecd3e404f494da59c23220998d24ccf01ffdca9e353
                                            • Instruction ID: 733b833de1fa6b587fffc33ec4757092952bde997240ca050dfaf114562308c2
                                            • Opcode Fuzzy Hash: 7aeb626580dc991cb2f0eecd3e404f494da59c23220998d24ccf01ffdca9e353
                                            • Instruction Fuzzy Hash: 49411372D007598FDB14DFAAD8043DEBBF1EF89210F19856AD508A7381EB38A845CBD0
                                            Function 06B2DAC8 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2447 6b2dac8-6b2dadf 2448 6b2dae1-6b2dae4 2447->2448 2449 6b2dae6-6b2db12 2448->2449 2450 6b2db17-6b2db1a 2448->2450 2449->2450 2451 6b2db1c-6b2db38 2450->2451 2452 6b2db3d-6b2db40 2450->2452 2451->2452 2453 6b2db42 2452->2453 2454 6b2db4f-6b2db51 2452->2454 2459 6b2db48-6b2db4a 2453->2459 2456 6b2db53 2454->2456 2457 6b2db58-6b2db5b 2454->2457 2456->2457 2457->2448 2458 6b2db5d-6b2db6c 2457->2458 2462 6b2db72-6b2dbab 2458->2462 2463 6b2dcf1-6b2dd1b 2458->2463 2459->2454 2470 6b2dbf9-6b2dc1d 2462->2470 2471 6b2dbad-6b2dbb7 2462->2471 2466 6b2dd1c 2463->2466 2466->2466 2477 6b2dc27-6b2dceb 2470->2477 2478 6b2dc1f 2470->2478 2475 6b2dbb9-6b2dbbf 2471->2475 2476 6b2dbcf-6b2dbf7 2471->2476 2479 6b2dbc3-6b2dbc5 2475->2479 2480 6b2dbc1 2475->2480 2476->2470 2476->2471 2477->2462 2477->2463 2478->2477 2479->2476 2480->2476
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PHq
                                            • API String ID: 0-3820536768
                                            • Opcode ID: 75d7d7dc1cb8b8ebd15c46702d5c24c50d4ee1eb44af0cf171d5c90805d4f313
                                            • Instruction ID: 04b954c896601dd0b8f7c2c3a20c0d4528364d64a890ad19abb7370fedc4da50
                                            • Opcode Fuzzy Hash: 75d7d7dc1cb8b8ebd15c46702d5c24c50d4ee1eb44af0cf171d5c90805d4f313
                                            • Instruction Fuzzy Hash: B0414170E1071A9FDB64DF65C45469EBBF2FF89340F204569E51ADB240DB70E982CB81
                                            Function 06B2DAB5 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2486 6b2dab5-6b2dadf 2487 6b2dae1-6b2dae4 2486->2487 2488 6b2dae6-6b2db12 2487->2488 2489 6b2db17-6b2db1a 2487->2489 2488->2489 2490 6b2db1c-6b2db38 2489->2490 2491 6b2db3d-6b2db40 2489->2491 2490->2491 2492 6b2db42 2491->2492 2493 6b2db4f-6b2db51 2491->2493 2498 6b2db48-6b2db4a 2492->2498 2495 6b2db53 2493->2495 2496 6b2db58-6b2db5b 2493->2496 2495->2496 2496->2487 2497 6b2db5d-6b2db6c 2496->2497 2501 6b2db72-6b2dbab 2497->2501 2502 6b2dcf1-6b2dd1b 2497->2502 2498->2493 2509 6b2dbf9-6b2dc1d 2501->2509 2510 6b2dbad-6b2dbb7 2501->2510 2505 6b2dd1c 2502->2505 2505->2505 2516 6b2dc27-6b2dceb 2509->2516 2517 6b2dc1f 2509->2517 2514 6b2dbb9-6b2dbbf 2510->2514 2515 6b2dbcf-6b2dbf7 2510->2515 2518 6b2dbc3-6b2dbc5 2514->2518 2519 6b2dbc1 2514->2519 2515->2509 2515->2510 2516->2501 2516->2502 2517->2516 2518->2515 2519->2515
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PHq
                                            • API String ID: 0-3820536768
                                            • Opcode ID: 056242103620dff65091e3a479cea0a8263da409f41bb7e5a6a3f91863c12afc
                                            • Instruction ID: 4be942404846efa5a460f04fd51661db6a3edd53c08338bf05ef3a603d201585
                                            • Opcode Fuzzy Hash: 056242103620dff65091e3a479cea0a8263da409f41bb7e5a6a3f91863c12afc
                                            • Instruction Fuzzy Hash: 9E41A2B0E0071ADFDB64DF64C45469EBBB2FF85340F10466AE416EB244DB70D982CB41
                                            Function 06B221B5 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2525 6b221b5-6b221e3 2526 6b221e5-6b221e8 2525->2526 2527 6b221ea-6b22206 2526->2527 2528 6b2220b-6b2220d 2526->2528 2527->2528 2529 6b22214-6b22217 2528->2529 2530 6b2220f 2528->2530 2529->2526 2532 6b22219-6b2223f 2529->2532 2530->2529 2537 6b22246-6b22274 2532->2537 2542 6b22276-6b22280 2537->2542 2543 6b222eb-6b2230f 2537->2543 2546 6b22282-6b22288 2542->2546 2547 6b22298-6b222e9 2542->2547 2551 6b22311 2543->2551 2552 6b22319 2543->2552 2549 6b2228a 2546->2549 2550 6b2228c-6b2228e 2546->2550 2547->2542 2547->2543 2549->2547 2550->2547 2551->2552 2554 6b2231a 2552->2554 2554->2554
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PHq
                                            • API String ID: 0-3820536768
                                            • Opcode ID: 179cfc019c7970103df9ae18d52b693611a09b61a53a7b5aae25cc6656b8355e
                                            • Instruction ID: 98678962a6fbe26471d84bb677c6a183fb6dc5ac01e808e495943f96e90c98fa
                                            • Opcode Fuzzy Hash: 179cfc019c7970103df9ae18d52b693611a09b61a53a7b5aae25cc6656b8355e
                                            • Instruction Fuzzy Hash: 29311370B002168FDB689F74C5106AE7BE3FF89240B1445B8D406DB385DE3ACD86CB90
                                            Function 06B221C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2560 6b221c8-6b221e3 2561 6b221e5-6b221e8 2560->2561 2562 6b221ea-6b22206 2561->2562 2563 6b2220b-6b2220d 2561->2563 2562->2563 2564 6b22214-6b22217 2563->2564 2565 6b2220f 2563->2565 2564->2561 2567 6b22219-6b2223f 2564->2567 2565->2564 2572 6b22246-6b22274 2567->2572 2577 6b22276-6b22280 2572->2577 2578 6b222eb-6b2230f 2572->2578 2581 6b22282-6b22288 2577->2581 2582 6b22298-6b222e9 2577->2582 2586 6b22311 2578->2586 2587 6b22319 2578->2587 2584 6b2228a 2581->2584 2585 6b2228c-6b2228e 2581->2585 2582->2577 2582->2578 2584->2582 2585->2582 2586->2587 2589 6b2231a 2587->2589 2589->2589
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PHq
                                            • API String ID: 0-3820536768
                                            • Opcode ID: 2741471fd344db02ae8de00c6d4cb2eb24a03ad757c86ea314a6774fab3d291a
                                            • Instruction ID: d78eb21fb8fed60434201353a2d44d01ecec887d7a9a0c55433941492af425dc
                                            • Opcode Fuzzy Hash: 2741471fd344db02ae8de00c6d4cb2eb24a03ad757c86ea314a6774fab3d291a
                                            • Instruction Fuzzy Hash: 0031C170B002168FDB689F74D5146AE7BE3FB88250B204578D40BDB384DE35DD46CB95
                                            Function 06B282EE Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q
                                            • API String ID: 0-1301096350
                                            • Opcode ID: 76fd807abde45a9607b1858560bfc0e5412d841940f5f3bff2b518a94a05c304
                                            • Instruction ID: d0895362a4962da3ad6b7412297856c0aa5097f46cd240b90ba1ae3f532b955c
                                            • Opcode Fuzzy Hash: 76fd807abde45a9607b1858560bfc0e5412d841940f5f3bff2b518a94a05c304
                                            • Instruction Fuzzy Hash: 8EF0A0B2B04222CBEF744D45A9402A873E4F740211F1810F2EE0DDB140C279EE08CA91
                                            Function 06B2B21F Relevance: .3, Instructions: 305COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f196929f05c9334993569130db6864cb8f1f5792df22aaaafa545bcd1cd0a831
                                            • Instruction ID: b692349f1a17dd98a3afe11ff2ac6530807e67b51164905caa9fe960f20fed86
                                            • Opcode Fuzzy Hash: f196929f05c9334993569130db6864cb8f1f5792df22aaaafa545bcd1cd0a831
                                            • Instruction Fuzzy Hash: A3B167B0F1021A8BEF64CA9CD4907AEB7E6FB85314F245469E50DEB395CE38DC818B51
                                            Function 06B261D8 Relevance: .2, Instructions: 229COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d973a5b2a222d35621f0b6f7d2124c7b64b828070f796f75e40222ba010dc1e
                                            • Instruction ID: 4aa2962d674ee66be4cb8af9d661e219ddda9458a3788ab6e834233ca8fe3b33
                                            • Opcode Fuzzy Hash: 2d973a5b2a222d35621f0b6f7d2124c7b64b828070f796f75e40222ba010dc1e
                                            • Instruction Fuzzy Hash: 026192B1F001214BDB549A7EC8906AEBAD7EFC4220B154479D90EDB364EE75DD028791
                                            Function 06B24278 Relevance: .2, Instructions: 221COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 56253b0ae7427b23a990ccb028246056dafc0f7f6e1845cb6845c7ecd644da09
                                            • Instruction ID: ee4b176f4b7cd2871da0b3b0a43774b6edd64ff65034c2376eab35eddcb90c9d
                                            • Opcode Fuzzy Hash: 56253b0ae7427b23a990ccb028246056dafc0f7f6e1845cb6845c7ecd644da09
                                            • Instruction Fuzzy Hash: 3C812E70B102158BDB54DFA8C4547AEBBF2EF89300F249579D50AEB748EB35EC428B91
                                            Function 06B24288 Relevance: .2, Instructions: 218COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5ecb6081b2912ab6f82d12e48398fd0cda7010daea1c51c5ca66eb28d4559173
                                            • Instruction ID: 9e4ab91c5135f45017bbb02ba88dce2a8d0121ca7a827ff43ad59f4e65be0eb4
                                            • Opcode Fuzzy Hash: 5ecb6081b2912ab6f82d12e48398fd0cda7010daea1c51c5ca66eb28d4559173
                                            • Instruction Fuzzy Hash: 86813F70B102158BDB54DFA8C4547AEBBF2EF89300F249579D50AEB748EE35EC428B51
                                            Function 06B24598 Relevance: .2, Instructions: 216COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dc0c1a1f597e807c35bc2e87480db04ecd7b3011c37cbd80023864296ef47d24
                                            • Instruction ID: 6bdfac0ce640c8ba37f4aefa7fa31f5bd5f1f5341ba1baf5acefd83112e8908a
                                            • Opcode Fuzzy Hash: dc0c1a1f597e807c35bc2e87480db04ecd7b3011c37cbd80023864296ef47d24
                                            • Instruction Fuzzy Hash: B6915C74E1021A8BDF60CF68C890B9DB7B1FF89310F208699D54DAB695DB70A985CF90
                                            Function 06B245B0 Relevance: .2, Instructions: 210COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6beb2a2091c41961846c8f70daac78aa8308c4194338236405681a53ac1500c9
                                            • Instruction ID: 9cd65bc30d51c2a3e3b73528737e25d177fb99687336713bf0663d5f3cb7383c
                                            • Opcode Fuzzy Hash: 6beb2a2091c41961846c8f70daac78aa8308c4194338236405681a53ac1500c9
                                            • Instruction Fuzzy Hash: 34912A74E1021A8BDF60DF68C890B9DB7B1FF89310F208699D54DAB654DB70AA85CF90
                                            Function 06B2EF10 Relevance: .2, Instructions: 205COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fcb9e135ee9adfeed931d5c6b22e6598101f6c9bf3b47f42ca50db4e119536e3
                                            • Instruction ID: a81d2d6a881e7825568431fd9aadba39bb893a0aa2a4c507cfa9cb43821de090
                                            • Opcode Fuzzy Hash: fcb9e135ee9adfeed931d5c6b22e6598101f6c9bf3b47f42ca50db4e119536e3
                                            • Instruction Fuzzy Hash: 7C715EB0E002199FDB54DFA9D980AAEB7F6FF88310F148569E109AB354DB34EC46CB40
                                            Function 06B2EF20 Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 716bc1f01435f854e6c42fcdf123cd5d92dcef1490b9d9b872271748461edafd
                                            • Instruction ID: 7756251f34bcd1ae7c41de1d439eaa26e15a22082964a9c85c2bf2351756e45e
                                            • Opcode Fuzzy Hash: 716bc1f01435f854e6c42fcdf123cd5d92dcef1490b9d9b872271748461edafd
                                            • Instruction Fuzzy Hash: B6713F70A002199FDB54DFA9D980AAEB7F6FF84310F148569E509AB354DB34EC46CB50
                                            Function 06B24B48 Relevance: .2, Instructions: 186COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c7586e9b8358ee3755a7741a7c5587795dbf8ce5acb7141b97ec544ba3200159
                                            • Instruction ID: 851e2f1011f5f0847543ecdc800d740073047c50fbbf1828bc5878e9d8a9466f
                                            • Opcode Fuzzy Hash: c7586e9b8358ee3755a7741a7c5587795dbf8ce5acb7141b97ec544ba3200159
                                            • Instruction Fuzzy Hash: 9B619570F002199FEB549FA8C8157AEBBF6FF88350F208569E109AB794DE755C41CB90
                                            Function 06B2FA28 Relevance: .2, Instructions: 172COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a820a806f4ac3a56599b193af93642ba7b7ca93408cf48b1b331d37c40c373d7
                                            • Instruction ID: 55ba6cb39e2fe8068ba8cddaaf6dbe07e1ee970f9317ba2bc2bf90a0881b4392
                                            • Opcode Fuzzy Hash: a820a806f4ac3a56599b193af93642ba7b7ca93408cf48b1b331d37c40c373d7
                                            • Instruction Fuzzy Hash: 5E51C4B0F202259BEF645ABCD85477F66AED78A710F104576E40FE7395C92CCC8287A2
                                            Function 06B2FC88 Relevance: .2, Instructions: 171COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 000ec54cabe1fb9969d3dbd7ed5da10d874b040fae1779f6a7523c562f2c1427
                                            • Instruction ID: 5a477c4ba41e314a76c79afa7047c9b8092feb76bea7db030789f8d2356e207a
                                            • Opcode Fuzzy Hash: 000ec54cabe1fb9969d3dbd7ed5da10d874b040fae1779f6a7523c562f2c1427
                                            • Instruction Fuzzy Hash: E251F171E50226CFDB24AF78E4446BDBBF6FB88350F1089B9E10AD7250DB359845CB80
                                            Function 06B2FA38 Relevance: .2, Instructions: 163COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7a4ea8cb4b84d4a2c1d32157042ba2f9072a97777c1b35929ce3b1ca61afe0fe
                                            • Instruction ID: 0416372d40104a267931dcd3c242433bffb73be210af971ac0b5cd5469c3f736
                                            • Opcode Fuzzy Hash: 7a4ea8cb4b84d4a2c1d32157042ba2f9072a97777c1b35929ce3b1ca61afe0fe
                                            • Instruction Fuzzy Hash: 735193B0F202259BEF645ABCD85477F66AED78A710F20443AE50FD7395C96CCC828792
                                            Function 06B24B39 Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 71518ef0c94c33dc4e0845921c9489f871bc6d04d52a2cba16671860e8c85063
                                            • Instruction ID: 00bbc91dbce4617304c6c8f4647ab981d8c458fbf63dd2c7f7362512db928791
                                            • Opcode Fuzzy Hash: 71518ef0c94c33dc4e0845921c9489f871bc6d04d52a2cba16671860e8c85063
                                            • Instruction Fuzzy Hash: CA518070F002189BDB549BA8C815BAEBAF6FF88310F248569E105AF794DE759C01CB90
                                            Function 06B25400 Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7ea62e193b59cd17764e3f9ffa385b6ab79d7217538f6a3b46f9b14c22f5e7a7
                                            • Instruction ID: a78adc4ac1b3966df5359f6fb14bf0e2be7916976cea041cd2080f53d87f2795
                                            • Opcode Fuzzy Hash: 7ea62e193b59cd17764e3f9ffa385b6ab79d7217538f6a3b46f9b14c22f5e7a7
                                            • Instruction Fuzzy Hash: 56418372E0061A8FDF70CFA9D881BAFF7F2FB44210F10496AD219D7604D630E9558B91
                                            Function 06B24B70 Relevance: .1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c318b1bd005ba201de44650f86e5d62ee5e57413f3f4026862d564257170345
                                            • Instruction ID: c80ed272531f2cbff1eeab34f207c4026417438b4f5ae64f6df4253ddedf2fb7
                                            • Opcode Fuzzy Hash: 6c318b1bd005ba201de44650f86e5d62ee5e57413f3f4026862d564257170345
                                            • Instruction Fuzzy Hash: 10414F74F002199FEB549FA8C455BAEBAF2FF88710F24852EE105AF794DA749C41CB90
                                            Function 06B2D968 Relevance: .1, Instructions: 103COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a890262004dd8c33d9b19bf9afc5c2787bf831b9a545b31d0dfb4a975ec20ffb
                                            • Instruction ID: e2f8ea9ce92dadedc5b28bf58db271bff3ae1a6ed672993d165d861f664ff7ef
                                            • Opcode Fuzzy Hash: a890262004dd8c33d9b19bf9afc5c2787bf831b9a545b31d0dfb4a975ec20ffb
                                            • Instruction Fuzzy Hash: 7231C470E1071A9BDB24DF69C880ADEB7F2FF85300F104A29E505EB241EB70E9468B81
                                            Function 06B22078 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d58c7537b0f53c5cf0e7282d888425f0979528d3f195578266aa55328b2f1961
                                            • Instruction ID: 80ebc64085d0a4b7103a0748be17b12253cec6aff48b2dabcb0298723c46f2af
                                            • Opcode Fuzzy Hash: d58c7537b0f53c5cf0e7282d888425f0979528d3f195578266aa55328b2f1961
                                            • Instruction Fuzzy Hash: ED31A374E106169BDB58CF64C894A9EB7F2FF89300F148569E806EB350DB71ED86CB40
                                            Function 06B22088 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 08b9767438661c0a934ace9b2ae27926015528ccd2bc4ad9982e8943613e4a21
                                            • Instruction ID: 8ce3a3d8a2c8ebe5cad237884542ea31ce129c829bf2721468d7cc824f1c3245
                                            • Opcode Fuzzy Hash: 08b9767438661c0a934ace9b2ae27926015528ccd2bc4ad9982e8943613e4a21
                                            • Instruction Fuzzy Hash: 54316F74E106169BDB18CF64D854A9EB7F2FF89300F108569E806EB350DB71ED82CB40
                                            Function 06B23A88 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 690c5e924eab8d6eb99504d777fb127710db49ce17ae175ea9db347f4e77abe9
                                            • Instruction ID: edb10963bd80471ab98800988e54a4c77c9b104a6b124ec5b8b287050d0a4593
                                            • Opcode Fuzzy Hash: 690c5e924eab8d6eb99504d777fb127710db49ce17ae175ea9db347f4e77abe9
                                            • Instruction Fuzzy Hash: 98213DB5E002259FDB50CF69D990BAEBBF5EB48310F148479E90AE7350E639DD40CB90
                                            Function 06B23A78 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: de44827c6d57ed43926daf7fa755a8d486c6962d633f966b019edc6916e2a712
                                            • Instruction ID: 6d8c31c4a318c8c1d165da3835e60cd34264befba2f433c40f932dc5c63f8a5b
                                            • Opcode Fuzzy Hash: de44827c6d57ed43926daf7fa755a8d486c6962d633f966b019edc6916e2a712
                                            • Instruction Fuzzy Hash: ED213BB6E102159FDB50CF68D990BAEBBF1EB48310F148466E90AE7390E739D9418B90
                                            Function 06B26D00 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7dd87baf32d2fa791ac1bb2c85cbad9344c137c96f44a627f807d7a46b4802ec
                                            • Instruction ID: 76e6ff292eeeecc12b66bac7b920d45e1f4dddff058b0a227ef291691ce6020f
                                            • Opcode Fuzzy Hash: 7dd87baf32d2fa791ac1bb2c85cbad9344c137c96f44a627f807d7a46b4802ec
                                            • Instruction Fuzzy Hash: 9221A171B101299BCF44DF69E8947AEB7E2EB84350F249579E409EB340EA35EC41CB80
                                            Function 0110D044 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2524891471.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_110d000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c5467be066389e2c1ac31938cb11d8b706b54c6d3a397c3444bcead782592aac
                                            • Instruction ID: f873261ec91b40f45721bd12a2052587a69660eeaea9ce924a13a54beda3de89
                                            • Opcode Fuzzy Hash: c5467be066389e2c1ac31938cb11d8b706b54c6d3a397c3444bcead782592aac
                                            • Instruction Fuzzy Hash: F221F171904304EFDF1ADFA4E980B26BB61FB84314F20C5ADE80D0B296C7B6D446CA62
                                            Function 06B23B98 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d34eef26dd2dc325e927c219056d5a59aed212de1b5f71a9e059466105add46c
                                            • Instruction ID: d23f3d27c62740dc384e61f21b3491731c2f0c27912674e8d98f551a0d2ed1ac
                                            • Opcode Fuzzy Hash: d34eef26dd2dc325e927c219056d5a59aed212de1b5f71a9e059466105add46c
                                            • Instruction Fuzzy Hash: AC118E71B102298FDB989A79C8147AE77E6EBC8710F004179D90AE7348EE78DC0287D0
                                            Function 06B23038 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2ac9e2bc05272f27199469c05e99034a6b890615f08b57ba2a776c0d4c8eb02b
                                            • Instruction ID: 029876828135d0d0ffeebe25a688250ef7863f366b3de8452dfea0468e02d7de
                                            • Opcode Fuzzy Hash: 2ac9e2bc05272f27199469c05e99034a6b890615f08b57ba2a776c0d4c8eb02b
                                            • Instruction Fuzzy Hash: 500184B1E002299BCB64DBB9D8506DEF7F5EB89310F1485A9E509E7340EA35D941CBE0
                                            Function 06B241D8 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 335fd52f282d80add0c4327df25c07e576790063b3f033e775dc2eea6fffac6e
                                            • Instruction ID: 372ff2ea1ca2021a54bd5695f354338cd521ef6275482f97adc2ecb5c011475e
                                            • Opcode Fuzzy Hash: 335fd52f282d80add0c4327df25c07e576790063b3f033e775dc2eea6fffac6e
                                            • Instruction Fuzzy Hash: A001F7B5F101214FDB6195BDD81572AB7D6EBD9710F24887AE10ECBB89EDA4DC024381
                                            Function 0110D03F Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2524891471.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_110d000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                            • Instruction ID: 9e20c4551e19e1f623ab4e53d62bab010c1d81fdcf282d020080dd646f35c2d7
                                            • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                            • Instruction Fuzzy Hash: 3711EE75904240DFCB16CF54E9C0B15BF61FB44314F24C6A9D8494B696C33AD40ACF52
                                            Function 06B2A300 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c464e64f615d2f9c4837802020aa74517f1814d514fcf82616a9693aedad67f0
                                            • Instruction ID: b03454625b6bc250018f517601a640b6adb7bb3cd561ac4f71b2e223462789c4
                                            • Opcode Fuzzy Hash: c464e64f615d2f9c4837802020aa74517f1814d514fcf82616a9693aedad67f0
                                            • Instruction Fuzzy Hash: 8B0184B1B001115FDBA1DA6CE864B6EB3D6FB8A754F11987AE40EC7384DA25DC028781
                                            Function 06B23850 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3bd3377871ffb533ae035c4af4e8e6d74bc32ab4ee6d06598d4bf0958d698857
                                            • Instruction ID: 24b3e331c9b8d86ed7fd70cb73ce31dc6f8898cb60db4348ead6a4e52be583ab
                                            • Opcode Fuzzy Hash: 3bd3377871ffb533ae035c4af4e8e6d74bc32ab4ee6d06598d4bf0958d698857
                                            • Instruction Fuzzy Hash: 5E2100B1D01259EFDB10CF9AD884ACEFBF4FB48314F10816AE918A7200C3796944CFA5
                                            Function 06B23858 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e1da3aab0c0be0a4a8bd088cd9f02b3b740b9f9253c8f7e859c0b31839129bb0
                                            • Instruction ID: a4ab0ed66027f5907ed6fbc6526b11fe3c162ffb3f9ecde6701314ab8daa9078
                                            • Opcode Fuzzy Hash: e1da3aab0c0be0a4a8bd088cd9f02b3b740b9f9253c8f7e859c0b31839129bb0
                                            • Instruction Fuzzy Hash: 1011D0B5D01219AFDB10CF9AD884ACEFBF4FB48314F10812AE918A7240C379A954CFA5
                                            Function 06B2F191 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bec577c3ac7ba44335eb015a74f502b2e48ea1dcb72f2986a8e2ffe495b52228
                                            • Instruction ID: a836ed9815ec20ce2f0d585aab893dd8bd6beea68587fa368e509be7aac1f64e
                                            • Opcode Fuzzy Hash: bec577c3ac7ba44335eb015a74f502b2e48ea1dcb72f2986a8e2ffe495b52228
                                            • Instruction Fuzzy Hash: 5201D475B101610BDB65DA6C9894B7B77E6EBCA211F14887AF40ECB345E924DC028385
                                            Function 06B23B88 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea8c970a6b2ad22c804ca47835127e7fe737a109aec66a97effec5e49277a17c
                                            • Instruction ID: fdb9d4c5bf1039b848fc9280e4d389f449425015609926c4bb82ceced2f022da
                                            • Opcode Fuzzy Hash: ea8c970a6b2ad22c804ca47835127e7fe737a109aec66a97effec5e49277a17c
                                            • Instruction Fuzzy Hash: AD01D4B6B101254BEB9499688C157FE67E7D7C8700F154076D90AD7388EE28CC024791
                                            Function 06B241E8 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c9f5264c77b8d95f04ba5b422ee9972f19c7f03516032697e5b47589215a8cce
                                            • Instruction ID: 009a192133f8233ad00cabfe454fc3f9ef4323999d70cc88fdf1652f6ef7f5e6
                                            • Opcode Fuzzy Hash: c9f5264c77b8d95f04ba5b422ee9972f19c7f03516032697e5b47589215a8cce
                                            • Instruction Fuzzy Hash: 9301D1B0B201250BDB6499AED815B2BB6DAEBC9710F24C43AE50ECBB44EDA5DC024391
                                            Function 06B2F1A0 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca6e69662556f594a9f0cd6e1c3963dda731adbdbfc67ebe8dbea59b4b597981
                                            • Instruction ID: dd43d932bf332ea14754eb9deb4731846badc3e90d057f6c88db231a535d0d98
                                            • Opcode Fuzzy Hash: ca6e69662556f594a9f0cd6e1c3963dda731adbdbfc67ebe8dbea59b4b597981
                                            • Instruction Fuzzy Hash: 0E0181B5B101220BDB64D96C9894B3F76EAEBC9611F148879F50ECB340ED25DC424385
                                            Function 06B2A310 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 351bd9bc60738ffd00204a8cdb1fcf74a2914c68476327e0b2a5742400f52c2f
                                            • Instruction ID: fcf65dad4fe2a3a15dae27c4c0e315b3bed239fd48793e761c8b93e38051d0d1
                                            • Opcode Fuzzy Hash: 351bd9bc60738ffd00204a8cdb1fcf74a2914c68476327e0b2a5742400f52c2f
                                            • Instruction Fuzzy Hash: E90181B0B001215BDB70DA6CE854B1EB3D5FB89B14F109879E50EC7344E925DC018781
                                            Function 06B2C7C8 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f1044527b3b7ca8a4c796070c74e12d842d0edb63b60c4fb43a4b1640d204006
                                            • Instruction ID: 7035e68a703b5d7926b55bce951d004da291e69808716d623166018cbf421df3
                                            • Opcode Fuzzy Hash: f1044527b3b7ca8a4c796070c74e12d842d0edb63b60c4fb43a4b1640d204006
                                            • Instruction Fuzzy Hash: 88F0A772F202389BDB545A65D80559EB7BAE784354F004479E905BB244D776AC1087C0
                                            Function 06B26461 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b48509bcbddd25c393097eaf3f15b8d35943710fd86bbb300c4ea63bb0e367f8
                                            • Instruction ID: 47f4a35175f07a54e22cf40f88eb5c89531a1f363998e7aed9b6dc3192691b89
                                            • Opcode Fuzzy Hash: b48509bcbddd25c393097eaf3f15b8d35943710fd86bbb300c4ea63bb0e367f8
                                            • Instruction Fuzzy Hash: DFE0D8F2D111155BDB90DE708A5535A77E5D741204F2059E1C05CDB141F236ED414340
                                            Function 06B26470 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 105533289c672c70b77a2127566478a11c6e4a8ee0802eacdb3449de9dbea2de
                                            • Instruction ID: 5e2bd2139e7ec799f7f5314f3fdaf087e3b2defaaac1ce74d5752d6bb4fa5724
                                            • Opcode Fuzzy Hash: 105533289c672c70b77a2127566478a11c6e4a8ee0802eacdb3449de9dbea2de
                                            • Instruction Fuzzy Hash: 27E0C2F1E2111AABDF50DEB0C94575E77EDD701204F2088E4D45CDB201F136DE014380

                                            Non-executed Functions

                                            Function 06B27698 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                            • API String ID: 0-1298971921
                                            • Opcode ID: a805180f2806fa987473465824c0ef1383d7b7724fc5a4cae5fac8cb40172811
                                            • Instruction ID: 5e14b429bc91720325f54a3600560151887e7ba19e5513685c2cd5b207ef2acc
                                            • Opcode Fuzzy Hash: a805180f2806fa987473465824c0ef1383d7b7724fc5a4cae5fac8cb40172811
                                            • Instruction Fuzzy Hash: 3F12FA70E0022A8FDB64DF69C954A9DB7F2FF89704F2485B9D40AAB254DB349D81CB84
                                            Function 06B2A930 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q$$q$$q$$q$$q
                                            • API String ID: 0-3886557441
                                            • Opcode ID: 0eff9594f6ad222b4d5566db25e152c0c336cbad41f07c690f3bc6af491f3b13
                                            • Instruction ID: c0546cef43b9bcecbafa2bacca31fe4dd58c94f0689f96ff318bc2ce64799dc4
                                            • Opcode Fuzzy Hash: 0eff9594f6ad222b4d5566db25e152c0c336cbad41f07c690f3bc6af491f3b13
                                            • Instruction Fuzzy Hash: EE9173B0E0021ADFEB68DF65DA5476EB7F2FF44700F108569E406AB294DB789C41CB90
                                            Function 06B27098 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q$$q$$q
                                            • API String ID: 0-2069967915
                                            • Opcode ID: 5afff16dce9fa812b69c0b2abee5568aa1ca0ea1ddd63c796194adfe18ce8ac3
                                            • Instruction ID: 436aea1dc4018a2592ae84dca1702593f809713ab9f4233f9d3fe21b5ec8eb8a
                                            • Opcode Fuzzy Hash: 5afff16dce9fa812b69c0b2abee5568aa1ca0ea1ddd63c796194adfe18ce8ac3
                                            • Instruction Fuzzy Hash: 61F11A70A00216CFDB59DF68C594A6EB7F2FF84304F248569E406AB394DB79EC42CB85
                                            Function 06B283D0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q
                                            • API String ID: 0-4102054182
                                            • Opcode ID: 4352c6fa91c5ae4a56c32672f42868efc0c6ca4eedec22e4d87a65c76d6a9a38
                                            • Instruction ID: 986ae10852577d5b3c1574a30fb285d609147e1fdb6e95e1d941e38f0e2a55c9
                                            • Opcode Fuzzy Hash: 4352c6fa91c5ae4a56c32672f42868efc0c6ca4eedec22e4d87a65c76d6a9a38
                                            • Instruction Fuzzy Hash: BFB14970B0021A8BDB68DF68D5947AEB7F2FF84314F248569D40A9B394DA74DC86CB80
                                            Function 06B287E8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LRq$LRq$$q$$q
                                            • API String ID: 0-2204215535
                                            • Opcode ID: 060e1cccbcfbcb5f39bb315b9699e9fb25e4d9d5180e079a4065184e7b44e82a
                                            • Instruction ID: 036f693b75a91b61013276555a78e9db47b4181bf17f9166f28e5a12389b9cc1
                                            • Opcode Fuzzy Hash: 060e1cccbcfbcb5f39bb315b9699e9fb25e4d9d5180e079a4065184e7b44e82a
                                            • Instruction Fuzzy Hash: 9951AE70B002128FDB58DF68C844A6AB7F2FF88310F1486A9E50A9F395DA34EC45CB91
                                            Function 06B2ACB8 Relevance: 5.2, Strings: 4, Instructions: 160COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000018.00000002.2541943581.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_24_2_6b20000_GlIToApjgGEL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q
                                            • API String ID: 0-4102054182
                                            • Opcode ID: 6aa42bdfba9d9637bbf9b608fa770f5bc1dc4976c0233e5b0e1c2d06526cc3fc
                                            • Instruction ID: 08dbd7706669d1afdd3d546d1f725c24f5ccb27ff48099a3082740f2ea660567
                                            • Opcode Fuzzy Hash: 6aa42bdfba9d9637bbf9b608fa770f5bc1dc4976c0233e5b0e1c2d06526cc3fc
                                            • Instruction Fuzzy Hash: E8516570E102168FDF65DF68D5806ADB3F2FB88211F2455A9D809EB254DB35DC42CB51