Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002A_124.exe

Overview

General Information

Sample name:LisectAVT_2403002A_124.exe
Analysis ID:1482514
MD5:1e6fe7e9dd5292ac6ed4c77d742da69b
SHA1:5f13634797d7d9c4b670d3e11076680340f89b89
SHA256:bb1b31f63c63a642be94f71d4dbab8c30c498662ee4269722aca9448eb264d94
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002A_124.exe (PID: 7292 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_124.exe" MD5: 1E6FE7E9DD5292AC6ED4C77D742DA69B)
    • LisectAVT_2403002A_124.exe (PID: 7468 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_124.exe" MD5: 1E6FE7E9DD5292AC6ED4C77D742DA69B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.flying-fish-cn.com", "Username": "office@flying-fish-cn.com", "Password": "hkk999@@@                     "}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2912873981.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.2912873981.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.2914893392.0000000003341000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.2914893392.0000000003341000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1707848434.00000000044A2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.LisectAVT_2403002A_124.exe.3b857c0.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.LisectAVT_2403002A_124.exe.3b857c0.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.LisectAVT_2403002A_124.exe.3b857c0.5.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3174d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x317bf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x31849:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x318db:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x31945:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x319b7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x31a4d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31add:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 12 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 208.91.199.225, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe, Initiated: true, ProcessId: 7468, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49734

                    Snort Signatures

                    No Snort rule has matched

                    Suricata Signatures

                    Timestamp:2024-07-26T00:06:03.820057+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49743
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T00:05:25.683509+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49737
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: LisectAVT_2403002A_124.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://www.google.comURL Reputation: Label: malware
                    Found malware configuration
                    Source: 2.2.LisectAVT_2403002A_124.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.flying-fish-cn.com", "Username": "office@flying-fish-cn.com", "Password": "hkk999@@@ "}
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: LisectAVT_2403002A_124.exeJoe Sandbox ML: detected
                    Source: LisectAVT_2403002A_124.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49732 version: TLS 1.2
                    Source: LisectAVT_2403002A_124.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: bdau.pdbSHA256 source: LisectAVT_2403002A_124.exe
                    Source: Binary string: bdau.pdb source: LisectAVT_2403002A_124.exe
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 4x nop then jmp 070A6ED7h0_2_070A63E6

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_124.exe.3b857c0.5.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.4:49734 -> 208.91.199.225:587
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.4:49734 -> 208.91.199.225:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: smtp.flying-fish-cn.com
                    Source: LisectAVT_2403002A_124.exe, 00000002.00000002.2914893392.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: LisectAVT_2403002A_124.exe, 00000002.00000002.2914893392.0000000003367000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.flying-fish-cn.com
                    Source: LisectAVT_2403002A_124.exe, 00000002.00000002.2914893392.0000000003367000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1707385764.0000000002841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
                    Source: LisectAVT_2403002A_124.exeString found in binary or memory: http://www.google.com)Uygun
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1707848434.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_124.exe, 00000000.00000002.1707848434.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_124.exe, 00000002.00000002.2912873981.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1707848434.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_124.exe, 00000000.00000002.1707848434.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_124.exe, 00000002.00000002.2912873981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, LisectAVT_2403002A_124.exe, 00000002.00000002.2914893392.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: LisectAVT_2403002A_124.exe, 00000002.00000002.2914893392.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: LisectAVT_2403002A_124.exe, 00000002.00000002.2914893392.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: LisectAVT_2403002A_124.exeString found in binary or memory: https://www.google.com
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49732 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.raw.unpack, J4qms1IPBw.cs.Net Code: CcJVCMvNtq
                    Source: 0.2.LisectAVT_2403002A_124.exe.3b857c0.5.raw.unpack, J4qms1IPBw.cs.Net Code: CcJVCMvNtq

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.LisectAVT_2403002A_124.exe.3b857c0.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.LisectAVT_2403002A_124.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.LisectAVT_2403002A_124.exe.3b857c0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_026FD5FC0_2_026FD5FC
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_04D500400_2_04D50040
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_04D500060_2_04D50006
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_04D574BB0_2_04D574BB
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_070A1EA00_2_070A1EA0
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_070A1EB00_2_070A1EB0
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_070A8DA80_2_070A8DA8
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_070A44200_2_070A4420
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_070A3B480_2_070A3B48
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_070A1A6A0_2_070A1A6A
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_070A22E80_2_070A22E8
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_0190A1982_2_0190A198
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_0190E2D02_2_0190E2D0
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_0190A9682_2_0190A968
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_01904A982_2_01904A98
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_01903E802_2_01903E80
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_019041C82_2_019041C8
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_06F666902_2_06F66690
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_06F656802_2_06F65680
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_06F67E182_2_06F67E18
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_06F6B2C02_2_06F6B2C0
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_06F6C2082_2_06F6C208
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_06F631382_2_06F63138
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_06F6E6D82_2_06F6E6D8
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_06F677382_2_06F67738
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_06F65D982_2_06F65D98
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_06F600402_2_06F60040
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_06F600072_2_06F60007
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1706506438.00000000009FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002A_124.exe
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1707385764.00000000028B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebce68969-f7f7-4a25-8c88-95b6e3560c26.exe4 vs LisectAVT_2403002A_124.exe
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1711377513.0000000007880000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_124.exe
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1707848434.0000000003B85000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebce68969-f7f7-4a25-8c88-95b6e3560c26.exe4 vs LisectAVT_2403002A_124.exe
                    Source: LisectAVT_2403002A_124.exe, 00000000.00000002.1707848434.0000000003B85000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_124.exe
                    Source: LisectAVT_2403002A_124.exe, 00000002.00000002.2913062877.0000000001338000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs LisectAVT_2403002A_124.exe
                    Source: LisectAVT_2403002A_124.exe, 00000002.00000002.2912873981.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebce68969-f7f7-4a25-8c88-95b6e3560c26.exe4 vs LisectAVT_2403002A_124.exe
                    Source: LisectAVT_2403002A_124.exeBinary or memory string: OriginalFilenamebdau.exeF vs LisectAVT_2403002A_124.exe
                    Source: LisectAVT_2403002A_124.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.LisectAVT_2403002A_124.exe.3b857c0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.LisectAVT_2403002A_124.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.LisectAVT_2403002A_124.exe.3b857c0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: LisectAVT_2403002A_124.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.raw.unpack, Lds5plxAPDj.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.raw.unpack, LZYJybC.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.raw.unpack, wDxPSW1p.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.raw.unpack, E0w8WLnyggK.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.raw.unpack, ZBSJHga2buE.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.raw.unpack, M4oIYVa.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.raw.unpack, kSS2HMsB8.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.raw.unpack, kSS2HMsB8.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, srpiv49bMTiOWAWIP3.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, srpiv49bMTiOWAWIP3.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, srpiv49bMTiOWAWIP3.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, srpiv49bMTiOWAWIP3.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, srpiv49bMTiOWAWIP3.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, srpiv49bMTiOWAWIP3.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, XUOos6pd8lC90dYS16.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, XUOos6pd8lC90dYS16.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_124.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeMutant created: \Sessions\1\BaseNamedObjects\iNriaknHNbxGPZAEuTWsxPDLwwW
                    Source: LisectAVT_2403002A_124.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: LisectAVT_2403002A_124.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe "C:\Users\user\Desktop\LisectAVT_2403002A_124.exe"
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe "C:\Users\user\Desktop\LisectAVT_2403002A_124.exe"
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe "C:\Users\user\Desktop\LisectAVT_2403002A_124.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: LisectAVT_2403002A_124.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: LisectAVT_2403002A_124.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: LisectAVT_2403002A_124.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: bdau.pdbSHA256 source: LisectAVT_2403002A_124.exe
                    Source: Binary string: bdau.pdb source: LisectAVT_2403002A_124.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: LisectAVT_2403002A_124.exe, BowserOdevi.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, srpiv49bMTiOWAWIP3.cs.Net Code: DL4y3sR9br System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, srpiv49bMTiOWAWIP3.cs.Net Code: DL4y3sR9br System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.LisectAVT_2403002A_124.exe.5010000.6.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
                    Source: LisectAVT_2403002A_124.exeStatic PE information: 0xE56C8780 [Fri Dec 21 17:04:00 2091 UTC]
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_026FC9B7 push cs; iretd 0_2_026FC9C6
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_026FF2A8 push ebx; iretd 0_2_026FF2C2
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_026FF343 push edi; iretd 0_2_026FF34A
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_026FF33B push esp; iretd 0_2_026FF35A
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_026FF330 push esi; iretd 0_2_026FF33A
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_026F99B0 push ss; iretd 0_2_026F99BE
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_026FFE00 push edx; iretd 0_2_026FFE06
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_026FFEA8 push ebx; iretd 0_2_026FFEAE
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_04D5E300 push esp; ret 0_2_04D5E301
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_04D50D45 push cs; iretd 0_2_04D50D5E
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_04D50F10 push esp; iretd 0_2_04D50F1E
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_04D51453 push esp; iretd 0_2_04D5145E
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_04D51090 push esi; iretd 0_2_04D5139E
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_04D51036 push esp; iretd 0_2_04D51046
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_04D59C90 pushad ; iretd 0_2_04D59C9E
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_04D5FDE8 pushad ; iretd 0_2_04D5FDF6
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_04D51D2A push ebp; iretd 0_2_04D51D2C
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_04D51EA1 push ebp; iretd 0_2_04D51EA3
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_04D51A98 push esp; iretd 0_2_04D51AA6
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_070A750F push esp; iretd 0_2_070A751E
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 0_2_070A7478 push esp; iretd 0_2_070A7486
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeCode function: 2_2_01900C6D push edi; retf 2_2_01900C7A
                    Source: LisectAVT_2403002A_124.exeStatic PE information: section name: .text entropy: 7.896114394358964
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, ruBmFpm4X0qjugVge7.csHigh entropy of concatenated method names: 'S4hYDT4hVy', 'jAUYI7axYT', 'WZJY3Elr6k', 'D9vY5ClB2P', 'JPAYKEccgk', 'dfQYbwDAe4', 'bvtYU9uIZF', 't4XYeJXCPk', 'blRpIpNBtSFVJVgOtym', 'zn89spNTw3lQBjZuXW0'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, pbkn9fEkmSVUYuCkvS.csHigh entropy of concatenated method names: 'lHAdaoBRre', 'JaidMqqhXx', 'Y1Hdx2BHyj', 'cgMdml8sG5', 'evidHNviOb', 'rENdJuVf2K', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, bCFVduyjvCLQ4fLpy0.csHigh entropy of concatenated method names: 'wVEViUOos6', 'r8lV9C90dY', 'Cu6VcWblV1', 'xIrVRMiUm5', 'BgrV0ZU9Zh', 'KiiVFVexeN', 'bwhNZhreVx9QTSVG0w', 'jdLKgLcQa0AmHv311O', 'uvrVVft53X', 'XmXV6aaUBF'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, utNK7KUu6WblV1IIrM.csHigh entropy of concatenated method names: 'u57w513MuX', 've8wKvxG4J', 'BUswpC97rF', 'AH1wUhhCGV', 'l4Kw0MuSQo', 'BGXwFTAob0', 'pRKwtxxR0x', 'FA1wdWAmln', 'uVUwnYF3GV', 'Qk3wPHjDp4'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, PCflYOVCbwNgY8uR9ZV.csHigh entropy of concatenated method names: 'Eq2PI2KXmg', 'ksQPAKLZVi', 'mARP36VN2A', 'hCcOsY6jUSI9Nca7Q7u', 'G2QdN56zs4G0utlihuh', 'rHDVFVo2eP8gP5SJLbU', 'nxb3SZoYIeG1bDEO3ns'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, jUm5kmeyT99nKKgrZU.csHigh entropy of concatenated method names: 'eoUogLSHGI', 'uimobCU8VR', 'agZwxtZ9OU', 'ElswmJNOtg', 'B5qwJY8Wud', 'k18wZApgRe', 'WqYwToDcdY', 'vZbwG7Ugkt', 'n4ZwhUiEdd', 'odiwvoNa0h'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, srpiv49bMTiOWAWIP3.csHigh entropy of concatenated method names: 'LQc6r3Ccfh', 'FT861NkfK7', 'tQj6OcUoEm', 't4J6wGECDN', 'Wbt6oynHcT', 'CUg6Yt0Ve2', 'Txq6iqA8ca', 'Mk169Ivt6i', 'RRR68FfJIH', 'B1m6cwsllV'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, FKwAAtV6FrV5jsHTDqJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Ry6PHS53I9', 'dpTP7YsDgW', 'FVNPl45Yqb', 'TPwPjFULh1', 'Nd0PkFclPS', 'LNmPWqdmOO', 'IMCPBw8vBt'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, sFUK1VC6q0OH8xExVy.csHigh entropy of concatenated method names: 'Vu334ekEs', 'JPq5pkCYl', 'WUDKRxgn6', 'ckrbxrSGa', 'IchU9ofiK', 'X43epn0Me', 'c8wa7WVXO5p3CEhh0w', 'vsNR35OlBJNIyrESnk', 'cqTdg8wto', 'PcNPN6oVE'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, kZhTiiaVexeNqOxELb.csHigh entropy of concatenated method names: 'UJiYrEPrQg', 'i6hYOVE34B', 'cJsYoqIbgU', 'uk1Yifve6j', 'mV1Y9fXm8M', 'VwcokXrvsr', 'hnSoWeDnv0', 'VItoBA5kHC', 'wAAouxNIAE', 'yM5oEtCRiv'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, MGTbHnl7vRYKMihGcc.csHigh entropy of concatenated method names: 'ToString', 'IgXF4346SE', 'isDFMUf9AG', 'T0HFxR3jWV', 'DjhFmL2WFf', 'j9JFJXMBtu', 'KLiFZurmi8', 'M1cFTg7qNM', 'U3DFGY1yGm', 'dkAFhJtNxh'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, INEnmnwF2qjVFH3cOR.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'glQCENeRIn', 'JYnCsOGBMY', 'AddCzwWwEr', 'Jbm6QsnyU7', 'CId6Vn8Pxv', 'upF6CQCx0S', 'yZm665kBk2', 'LgIL0TY7J5e1o8b17jT'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, mKDuTFVQE6QgBE6HCcr.csHigh entropy of concatenated method names: 'vdRnIakyo5', 'TwGnALl85N', 'XcXn3IceEe', 'Yfdn5ELvNx', 'KkZngSsdWt', 'Gg6nKXoeI8', 'Wm4nbsn1rN', 'krPnptNVOk', 'joSnUVNB7X', 'JUpnewItqN'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, k57hQczJTqFB4cKpLm.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dWdnfZHMYu', 'Y4mn0l4tKP', 'FJlnFj7Dxn', 'jwPntvYLoC', 'DcNndoSHBq', 'kXrnnNny7M', 'qHQnPf59NG'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, TKpoFdOdwZBGcjEya7.csHigh entropy of concatenated method names: 'Dispose', 'atLVELYDVW', 'ayWCM2W53b', 's2nkkVcXR5', 'EofVsypCIY', 'AZlVzmt0Jr', 'ProcessDialogKey', 'EatCQbkn9f', 'UmSCVVUYuC', 'UvSCC26Awx'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, h8oSwShDsT51Fkc3yZ.csHigh entropy of concatenated method names: 'HSaiISTUjr', 'BKGiAGlGxD', 'VWqi3y98Cf', 'Fd4i5iTLI1', 'YXIiggRcQf', 'uhLiKFCL1r', 'SRHibyoaIj', 'lwpipg8lGw', 'ziYiU2oJZA', 'Fvpie7w4WZ'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, HSCItCjxsCrf5YKUOC.csHigh entropy of concatenated method names: 'rhWtcfRHdr', 'TGytR702cU', 'ToString', 'WH0t1u4ebR', 'ISxtOkH5Aw', 'q6ltwW2hc3', 'AZBtouaDnV', 'xaptYgkqpP', 'o0Rti0eyRB', 'EPTt9XwWOq'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, VVbjCDHVDfIQWckVYA.csHigh entropy of concatenated method names: 'TQV0vXSQnI', 'Cm10SOm0JP', 'XJ50H7Pvb8', 'mG707jxOrt', 'JVy0Mg597M', 'd3X0xFoRKE', 'hLZ0mxEQq2', 'R1E0JZXhDk', 'h2p0Z3GSru', 'qcy0T9H2Yc'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, XUOos6pd8lC90dYS16.csHigh entropy of concatenated method names: 'FrjOHoh6oI', 'LpkO70PuUI', 'rEsOlOTfKJ', 'cJiOj3ujJd', 'rZ2OkKYydR', 'QegOWk5kdB', 'bxoOBqqcvv', 'cTlOufJaqH', 'sE6OE5qpon', 'HbCOsmAMY7'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, hfypCIuY5Zlmt0JrUa.csHigh entropy of concatenated method names: 'k67d1Fm3Id', 'B5ndOCrnSo', 'KpndwmxoOe', 'dhPdo3uY82', 'dRVdYVHO9a', 'iOvdifxfDX', 'VpJd93sMuw', 'ua4d8hxpuC', 'iY0dcOslpR', 'IUhdRo9Ws4'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, icaxvCZ6aqZ3PiHMdJ.csHigh entropy of concatenated method names: 'H6OYlXsbK8', 'IsfYjvRcsM', 'MauYkqxqAg', 'ToString', 'oIMYWCMWjR', 'zOgYBXx1xq', 'Mk5OU7N3A0LruHsmAVI', 'G3Jy3MN0KlSPVL2MDiG', 'BiJGZSNXiGFkErotq7A'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, u6AwxmslUiHFvQuVn9.csHigh entropy of concatenated method names: 'McGnVrXXJT', 'KMKn6MnUaT', 'ms3ny8Giga', 'E0cn1hCbRC', 'amPnOcNo3f', 'KdAnoIAOWU', 'Sx8nYGe1Pe', 'XasdBGJOXS', 'dJtduLDXEy', 'zxXdEvFIm8'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, JRGbcDWbZCZ666nwc5.csHigh entropy of concatenated method names: 'MdItuyMSay', 'T1atsy64Zh', 'O2HdQiT6tI', 'mR6dVbDkxT', 'mSdt4mysjB', 'EFHtSZJ70x', 'UKQtqnn787', 'xvCtHJxETa', 'dnnt7Agea9', 'SmmtlmSuoi'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, KE2aSiTVAwAGmbGpIg.csHigh entropy of concatenated method names: 'rNai1r1vmg', 'cUOiwVfxye', 'ytbiYJR4uB', 'P4EYswsWIy', 'q9ZYzk6uPr', 'Og3iQlyA8s', 'qRFiVXjsRO', 'jYWiCqw3U2', 'Pchi6olICk', 'ne8iylpMdb'
                    Source: 0.2.LisectAVT_2403002A_124.exe.7880000.8.raw.unpack, Vu60JKqx5NHLYX2BnX.csHigh entropy of concatenated method names: 'eZufpmlTjY', 'PblfU4x0uC', 'Drlfal8UGK', 'wnZfMy8mBe', 'rjXfm9aGps', 'YaLfJoEpbm', 'bblfTAvpSr', 'mVffGBQ8MS', 'j5kfvDhtgS', 'k1kf4POctu'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, ruBmFpm4X0qjugVge7.csHigh entropy of concatenated method names: 'S4hYDT4hVy', 'jAUYI7axYT', 'WZJY3Elr6k', 'D9vY5ClB2P', 'JPAYKEccgk', 'dfQYbwDAe4', 'bvtYU9uIZF', 't4XYeJXCPk', 'blRpIpNBtSFVJVgOtym', 'zn89spNTw3lQBjZuXW0'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, pbkn9fEkmSVUYuCkvS.csHigh entropy of concatenated method names: 'lHAdaoBRre', 'JaidMqqhXx', 'Y1Hdx2BHyj', 'cgMdml8sG5', 'evidHNviOb', 'rENdJuVf2K', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, bCFVduyjvCLQ4fLpy0.csHigh entropy of concatenated method names: 'wVEViUOos6', 'r8lV9C90dY', 'Cu6VcWblV1', 'xIrVRMiUm5', 'BgrV0ZU9Zh', 'KiiVFVexeN', 'bwhNZhreVx9QTSVG0w', 'jdLKgLcQa0AmHv311O', 'uvrVVft53X', 'XmXV6aaUBF'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, utNK7KUu6WblV1IIrM.csHigh entropy of concatenated method names: 'u57w513MuX', 've8wKvxG4J', 'BUswpC97rF', 'AH1wUhhCGV', 'l4Kw0MuSQo', 'BGXwFTAob0', 'pRKwtxxR0x', 'FA1wdWAmln', 'uVUwnYF3GV', 'Qk3wPHjDp4'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, PCflYOVCbwNgY8uR9ZV.csHigh entropy of concatenated method names: 'Eq2PI2KXmg', 'ksQPAKLZVi', 'mARP36VN2A', 'hCcOsY6jUSI9Nca7Q7u', 'G2QdN56zs4G0utlihuh', 'rHDVFVo2eP8gP5SJLbU', 'nxb3SZoYIeG1bDEO3ns'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, jUm5kmeyT99nKKgrZU.csHigh entropy of concatenated method names: 'eoUogLSHGI', 'uimobCU8VR', 'agZwxtZ9OU', 'ElswmJNOtg', 'B5qwJY8Wud', 'k18wZApgRe', 'WqYwToDcdY', 'vZbwG7Ugkt', 'n4ZwhUiEdd', 'odiwvoNa0h'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, srpiv49bMTiOWAWIP3.csHigh entropy of concatenated method names: 'LQc6r3Ccfh', 'FT861NkfK7', 'tQj6OcUoEm', 't4J6wGECDN', 'Wbt6oynHcT', 'CUg6Yt0Ve2', 'Txq6iqA8ca', 'Mk169Ivt6i', 'RRR68FfJIH', 'B1m6cwsllV'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, FKwAAtV6FrV5jsHTDqJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Ry6PHS53I9', 'dpTP7YsDgW', 'FVNPl45Yqb', 'TPwPjFULh1', 'Nd0PkFclPS', 'LNmPWqdmOO', 'IMCPBw8vBt'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, sFUK1VC6q0OH8xExVy.csHigh entropy of concatenated method names: 'Vu334ekEs', 'JPq5pkCYl', 'WUDKRxgn6', 'ckrbxrSGa', 'IchU9ofiK', 'X43epn0Me', 'c8wa7WVXO5p3CEhh0w', 'vsNR35OlBJNIyrESnk', 'cqTdg8wto', 'PcNPN6oVE'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, kZhTiiaVexeNqOxELb.csHigh entropy of concatenated method names: 'UJiYrEPrQg', 'i6hYOVE34B', 'cJsYoqIbgU', 'uk1Yifve6j', 'mV1Y9fXm8M', 'VwcokXrvsr', 'hnSoWeDnv0', 'VItoBA5kHC', 'wAAouxNIAE', 'yM5oEtCRiv'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, MGTbHnl7vRYKMihGcc.csHigh entropy of concatenated method names: 'ToString', 'IgXF4346SE', 'isDFMUf9AG', 'T0HFxR3jWV', 'DjhFmL2WFf', 'j9JFJXMBtu', 'KLiFZurmi8', 'M1cFTg7qNM', 'U3DFGY1yGm', 'dkAFhJtNxh'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, INEnmnwF2qjVFH3cOR.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'glQCENeRIn', 'JYnCsOGBMY', 'AddCzwWwEr', 'Jbm6QsnyU7', 'CId6Vn8Pxv', 'upF6CQCx0S', 'yZm665kBk2', 'LgIL0TY7J5e1o8b17jT'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, mKDuTFVQE6QgBE6HCcr.csHigh entropy of concatenated method names: 'vdRnIakyo5', 'TwGnALl85N', 'XcXn3IceEe', 'Yfdn5ELvNx', 'KkZngSsdWt', 'Gg6nKXoeI8', 'Wm4nbsn1rN', 'krPnptNVOk', 'joSnUVNB7X', 'JUpnewItqN'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, k57hQczJTqFB4cKpLm.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dWdnfZHMYu', 'Y4mn0l4tKP', 'FJlnFj7Dxn', 'jwPntvYLoC', 'DcNndoSHBq', 'kXrnnNny7M', 'qHQnPf59NG'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, TKpoFdOdwZBGcjEya7.csHigh entropy of concatenated method names: 'Dispose', 'atLVELYDVW', 'ayWCM2W53b', 's2nkkVcXR5', 'EofVsypCIY', 'AZlVzmt0Jr', 'ProcessDialogKey', 'EatCQbkn9f', 'UmSCVVUYuC', 'UvSCC26Awx'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, h8oSwShDsT51Fkc3yZ.csHigh entropy of concatenated method names: 'HSaiISTUjr', 'BKGiAGlGxD', 'VWqi3y98Cf', 'Fd4i5iTLI1', 'YXIiggRcQf', 'uhLiKFCL1r', 'SRHibyoaIj', 'lwpipg8lGw', 'ziYiU2oJZA', 'Fvpie7w4WZ'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, HSCItCjxsCrf5YKUOC.csHigh entropy of concatenated method names: 'rhWtcfRHdr', 'TGytR702cU', 'ToString', 'WH0t1u4ebR', 'ISxtOkH5Aw', 'q6ltwW2hc3', 'AZBtouaDnV', 'xaptYgkqpP', 'o0Rti0eyRB', 'EPTt9XwWOq'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, VVbjCDHVDfIQWckVYA.csHigh entropy of concatenated method names: 'TQV0vXSQnI', 'Cm10SOm0JP', 'XJ50H7Pvb8', 'mG707jxOrt', 'JVy0Mg597M', 'd3X0xFoRKE', 'hLZ0mxEQq2', 'R1E0JZXhDk', 'h2p0Z3GSru', 'qcy0T9H2Yc'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, XUOos6pd8lC90dYS16.csHigh entropy of concatenated method names: 'FrjOHoh6oI', 'LpkO70PuUI', 'rEsOlOTfKJ', 'cJiOj3ujJd', 'rZ2OkKYydR', 'QegOWk5kdB', 'bxoOBqqcvv', 'cTlOufJaqH', 'sE6OE5qpon', 'HbCOsmAMY7'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, hfypCIuY5Zlmt0JrUa.csHigh entropy of concatenated method names: 'k67d1Fm3Id', 'B5ndOCrnSo', 'KpndwmxoOe', 'dhPdo3uY82', 'dRVdYVHO9a', 'iOvdifxfDX', 'VpJd93sMuw', 'ua4d8hxpuC', 'iY0dcOslpR', 'IUhdRo9Ws4'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, icaxvCZ6aqZ3PiHMdJ.csHigh entropy of concatenated method names: 'H6OYlXsbK8', 'IsfYjvRcsM', 'MauYkqxqAg', 'ToString', 'oIMYWCMWjR', 'zOgYBXx1xq', 'Mk5OU7N3A0LruHsmAVI', 'G3Jy3MN0KlSPVL2MDiG', 'BiJGZSNXiGFkErotq7A'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, u6AwxmslUiHFvQuVn9.csHigh entropy of concatenated method names: 'McGnVrXXJT', 'KMKn6MnUaT', 'ms3ny8Giga', 'E0cn1hCbRC', 'amPnOcNo3f', 'KdAnoIAOWU', 'Sx8nYGe1Pe', 'XasdBGJOXS', 'dJtduLDXEy', 'zxXdEvFIm8'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, JRGbcDWbZCZ666nwc5.csHigh entropy of concatenated method names: 'MdItuyMSay', 'T1atsy64Zh', 'O2HdQiT6tI', 'mR6dVbDkxT', 'mSdt4mysjB', 'EFHtSZJ70x', 'UKQtqnn787', 'xvCtHJxETa', 'dnnt7Agea9', 'SmmtlmSuoi'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, KE2aSiTVAwAGmbGpIg.csHigh entropy of concatenated method names: 'rNai1r1vmg', 'cUOiwVfxye', 'ytbiYJR4uB', 'P4EYswsWIy', 'q9ZYzk6uPr', 'Og3iQlyA8s', 'qRFiVXjsRO', 'jYWiCqw3U2', 'Pchi6olICk', 'ne8iylpMdb'
                    Source: 0.2.LisectAVT_2403002A_124.exe.3c25f30.3.raw.unpack, Vu60JKqx5NHLYX2BnX.csHigh entropy of concatenated method names: 'eZufpmlTjY', 'PblfU4x0uC', 'Drlfal8UGK', 'wnZfMy8mBe', 'rjXfm9aGps', 'YaLfJoEpbm', 'bblfTAvpSr', 'mVffGBQ8MS', 'j5kfvDhtgS', 'k1kf4POctu'
                    Source: 0.2.LisectAVT_2403002A_124.exe.5010000.6.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
                    Source: 0.2.LisectAVT_2403002A_124.exe.5010000.6.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
                    Source: 0.2.LisectAVT_2403002A_124.exe.5010000.6.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
                    Source: 0.2.LisectAVT_2403002A_124.exe.5010000.6.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
                    Source: 0.2.LisectAVT_2403002A_124.exe.5010000.6.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_124.exe PID: 7292, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeMemory allocated: 2600000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeMemory allocated: 2600000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeMemory allocated: 7900000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeMemory allocated: 8900000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeMemory allocated: 8BC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeMemory allocated: 9BC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeMemory allocated: 1900000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeMemory allocated: 32F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeMemory allocated: 52F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeWindow / User API: threadDelayed 1928Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeWindow / User API: threadDelayed 7875Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7316Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7580Thread sleep count: 1928 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -99766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep count: 44 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -99641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7580Thread sleep count: 7875 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -99531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -99420s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -99312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -99204s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -99079s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -98954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -98829s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -98704s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -98579s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -98454s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -98329s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -98204s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -98079s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -97954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -97829s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -97704s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -97579s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -97454s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -97329s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -97204s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -97079s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -96954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -96829s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -96704s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -96579s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -96454s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -96329s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -96204s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -96079s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -95954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -95829s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -95704s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -95579s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -95454s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -95329s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -95204s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -95079s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -94954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -94829s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -94704s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -94579s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -94454s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -94329s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -94204s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -94079s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -93954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe TID: 7576Thread sleep time: -93829s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 99641Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 99531Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 99420Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 99312Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 99204Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 99079Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 98954Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 98829Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 98704Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 98579Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 98454Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 98329Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 98204Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 98079Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 97954Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 97829Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 97704Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 97579Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 97454Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 97329Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 97204Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 97079Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 96954Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 96829Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 96704Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 96579Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 96454Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 96329Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 96204Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 96079Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 95954Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 95829Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 95704Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 95579Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 95454Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 95329Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 95204Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 95079Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 94954Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 94829Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 94704Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 94579Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 94454Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 94329Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 94204Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 94079Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 93954Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeThread delayed: delay time: 93829Jump to behavior
                    Source: LisectAVT_2403002A_124.exe, 00000002.00000002.2914025239.000000000177D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeMemory written: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe "C:\Users\user\Desktop\LisectAVT_2403002A_124.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_124.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_124.exe.3b857c0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.LisectAVT_2403002A_124.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_124.exe.3b857c0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2912873981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2914893392.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1707848434.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1707848434.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2914893392.0000000003367000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_124.exe PID: 7292, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_124.exe PID: 7468, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_124.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_124.exe.3b857c0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.LisectAVT_2403002A_124.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_124.exe.3b857c0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2912873981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2914893392.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1707848434.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1707848434.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_124.exe PID: 7292, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_124.exe PID: 7468, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_124.exe.3b857c0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.LisectAVT_2403002A_124.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_124.exe.3bc01e0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_124.exe.3b857c0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2912873981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2914893392.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1707848434.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1707848434.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2914893392.0000000003367000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_124.exe PID: 7292, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_124.exe PID: 7468, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS111
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets1
                    Process Discovery                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    LisectAVT_2403002A_124.exe100%AviraTR/AD.GenSteal.rqtdh
                    LisectAVT_2403002A_124.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                    http://www.fontbureau.com0%URL Reputationsafe
                    http://www.fontbureau.com/designersG0%URL Reputationsafe
                    http://www.fontbureau.com/designers/?0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://www.fontbureau.com/designers?0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.com/designers0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.com/designers80%URL Reputationsafe
                    http://www.google.com100%URL Reputationmalware
                    http://www.fonts.com0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://www.google.com0%Avira URL Cloudsafe
                    http://smtp.flying-fish-cn.com0%Avira URL Cloudsafe
                    http://us2.smtp.mailhostbox.com0%Avira URL Cloudsafe
                    http://www.google.com)Uygun0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		208.91.199.225
                    		truefalse
                      		unknown
                      api.ipify.org
                      		104.26.12.205
                      		truefalse
                        		unknown
                        smtp.flying-fish-cn.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                          • URL Reputation: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://smtp.flying-fish-cn.comLisectAVT_2403002A_124.exe, 00000002.00000002.2914893392.0000000003367000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersGLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/?LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/bTheLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://account.dyn.com/LisectAVT_2403002A_124.exe, 00000000.00000002.1707848434.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_124.exe, 00000000.00000002.1707848434.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_124.exe, 00000002.00000002.2912873981.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://us2.smtp.mailhostbox.comLisectAVT_2403002A_124.exe, 00000002.00000002.2914893392.0000000003367000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers?LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.comLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.goodfont.co.krLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.ipify.org/tLisectAVT_2403002A_124.exe, 00000002.00000002.2914893392.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comlLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.google.comLisectAVT_2403002A_124.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/cTheLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.ipify.orgLisectAVT_2403002A_124.exe, 00000000.00000002.1707848434.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_124.exe, 00000000.00000002.1707848434.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_124.exe, 00000002.00000002.2912873981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, LisectAVT_2403002A_124.exe, 00000002.00000002.2914893392.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-user.htmlLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.google.com)UygunLisectAVT_2403002A_124.exetrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleaseLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers8LisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.google.comLisectAVT_2403002A_124.exe, 00000000.00000002.1707385764.0000000002841000.00000004.00000800.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          		unknown
                          http://www.fonts.comLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sandoll.co.krLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleaseLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameLisectAVT_2403002A_124.exe, 00000002.00000002.2914893392.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comLisectAVT_2403002A_124.exe, 00000000.00000002.1710237885.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          104.26.12.205
                          		api.ipify.orgUnited States
                          		13335CLOUDFLARENETUSfalse
                          208.91.199.225
                          		us2.smtp.mailhostbox.comUnited States
                          		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1482514
                          Start date and time:2024-07-26 00:04:14 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 32s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:7
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:LisectAVT_2403002A_124.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 100
                          • Number of non-executed functions: 16
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: LisectAVT_2403002A_124.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          18:05:05API Interceptor177x Sleep call for process: LisectAVT_2403002A_124.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          104.26.12.205SecuriteInfo.com.Win64.Evo-gen.28044.10443.exeGet hashmaliciousUnknownBrowse
                          • api.ipify.org/
                          vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                          • api.ipify.org/
                          6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                          • api.ipify.org/
                          SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exeGet hashmaliciousConti, PureLog Stealer, Targeted RansomwareBrowse
                          • api.ipify.org/
                          482730621.exeGet hashmaliciousStealitBrowse
                          • api.ipify.org/?format=json
                          482730621.exeGet hashmaliciousStealitBrowse
                          • api.ipify.org/?format=json
                          Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                          • api.ipify.org/?format=json
                          Sky-Beta.exeGet hashmaliciousStealitBrowse
                          • api.ipify.org/?format=json
                          SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                          • api.ipify.org/
                          lods.cmdGet hashmaliciousRemcosBrowse
                          • api.ipify.org/
                          208.91.199.225jRlq1fSUW5.exeGet hashmaliciousAgentTeslaBrowse
                            IEnetcache.htaGet hashmaliciousCobalt Strike, AgentTesla, PureLog StealerBrowse
                              winiti.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                0RA0ngi2c2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  z1X3Z1ohoefF078ij.exeGet hashmaliciousAgentTeslaBrowse
                                    Products and Quote.exeGet hashmaliciousAgentTeslaBrowse
                                      Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                        ATTACHMENT OF PAYMENT.exeGet hashmaliciousAgentTeslaBrowse
                                          Luciana Alvarez CV.exeGet hashmaliciousAgentTeslaBrowse
                                            6bdudXAsQW.exeGet hashmaliciousAgentTeslaBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              us2.smtp.mailhostbox.comLisectAVT_2403002A_52.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.198.143
                                              SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.224
                                              LisectAVT_2403002B_465.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.224
                                              jRlq1fSUW5.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.225
                                              SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.198.143
                                              LCWGT83qLa.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.223
                                              IEnetcache.htaGet hashmaliciousCobalt Strike, AgentTesla, PureLog StealerBrowse
                                              • 208.91.199.225
                                              winiti.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 208.91.199.225
                                              8hOkq9mMQu.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 208.91.198.143
                                              0RA0ngi2c2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 208.91.199.225
                                              api.ipify.orgLisectAVT_2403002A_127.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.13.205
                                              LisectAVT_2403002A_133.exeGet hashmaliciousAgentTeslaBrowse
                                              • 172.67.74.152
                                              LisectAVT_2403002A_2.exeGet hashmaliciousAgentTeslaBrowse
                                              • 172.67.74.152
                                              LisectAVT_2403002A_460.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.13.205
                                              LisectAVT_2403002A_481.exeGet hashmaliciousLuna Grabber, Luna LoggerBrowse
                                              • 104.26.12.205
                                              LisectAVT_2403002A_63.exeGet hashmaliciousAgentTeslaBrowse
                                              • 172.67.74.152
                                              LisectAVT_2403002A_59.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.13.205
                                              LisectAVT_2403002A_74.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.13.205
                                              SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                              • 172.67.74.152
                                              Re_ Q22689 - 07.24.2024_Conduit Construction Network Ltd_Today.emlGet hashmaliciousUnknownBrowse
                                              • 172.67.74.152

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CLOUDFLARENETUSLisectAVT_2403002A_127.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.13.205
                                              LisectAVT_2403002A_133.exeGet hashmaliciousAgentTeslaBrowse
                                              • 172.67.74.152
                                              LisectAVT_2403002A_147.exeGet hashmaliciousBlank GrabberBrowse
                                              • 162.159.138.232
                                              LisectAVT_2403002A_155.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.202.72
                                              LisectAVT_2403002A_161.exeGet hashmaliciousLuna Grabber, Luna LoggerBrowse
                                              • 162.159.133.233
                                              LisectAVT_2403002A_162.exeGet hashmaliciousUnknownBrowse
                                              • 104.21.85.44
                                              https://aecoa.racipens.su/ievqefkwtdjogsyjfdbfnprzYkzLoDtSZBZFTQIDNBMGDEMRMWVOLGXOOCCPHOBAHWORBTIQHFOUAGEIrstXEZnKMUIf12KAT7V5Wwx35Get hashmaliciousUnknownBrowse
                                              • 172.67.170.95
                                              LisectAVT_2403002A_2.exeGet hashmaliciousAgentTeslaBrowse
                                              • 172.67.74.152
                                              https://taf7.rphortan.com/xV5YqZuT/#Xjeffrey.laws@99restaurants.comGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                              • 104.17.25.14
                                              LisectAVT_2403002A_210.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                              • 104.16.123.96
                                              PUBLIC-DOMAIN-REGISTRYUSLisectAVT_2403002A_16.exeGet hashmaliciousAgentTeslaBrowse
                                              • 199.79.62.115
                                              LisectAVT_2403002A_52.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.198.143
                                              SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.224
                                              LisectAVT_2403002B_290.exeGet hashmaliciousBdaejecBrowse
                                              • 74.119.239.234
                                              LisectAVT_2403002B_465.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.223
                                              jRlq1fSUW5.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.225
                                              SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.198.143
                                              bJrO2iUerN.elfGet hashmaliciousUnknownBrowse
                                              • 204.11.58.71
                                              PO#1164031.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 208.91.198.24
                                              5RQ24SOW EPIRB_TOTAL Marine Services Ltd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 208.91.198.24

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0eLisectAVT_2403002A_127.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.12.205
                                              LisectAVT_2403002A_133.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.12.205
                                              LisectAVT_2403002A_14.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              LisectAVT_2403002A_14.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              LisectAVT_2403002A_155.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              LisectAVT_2403002A_162.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              LisectAVT_2403002A_2.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.12.205
                                              LisectAVT_2403002A_220.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              LisectAVT_2403002A_308.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              LisectAVT_2403002A_308.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_124.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\LisectAVT_2403002A_124.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.8887481114185025
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:LisectAVT_2403002A_124.exe
                                              File size:705'542 bytes
                                              MD5:1e6fe7e9dd5292ac6ed4c77d742da69b
                                              SHA1:5f13634797d7d9c4b670d3e11076680340f89b89
                                              SHA256:bb1b31f63c63a642be94f71d4dbab8c30c498662ee4269722aca9448eb264d94
                                              SHA512:1795fbf6bf79ee9799c2b97304fa6d11901c0c7401b2f4dcad343f0f6a0b578e1fd2bf6fdf86c74becc2843d86229b5e80bda64c38b9820fc28232f8da615a24
                                              SSDEEP:12288:UB+GbFNXl2MIBdcqcUwxW8aNGFDp5T3bzNq8GmNLhnWmIBczDc44CMw:cvRNV2VdcqcUXdaDplzNqIhcczw
                                              TLSH:CBE402003ABD5B56F8BFCBF8152661415BBA396F2075E32C5CC6B0DE2A7AF004641E67
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....l...............0.................. ........@.. ....................... ............@................................

                                              File Icon

                                              Icon Hash:90cececece8e8eb0

                                              Static PE Info

                                              General

                                              Entrypoint:0x4ad896
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0xE56C8780 [Fri Dec 21 17:04:00 2091 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              xor al, 35h
                                              xor eax, 43465138h
                                              push eax
                                              xor eax, 38453452h
                                              xor dl, byte ptr [ecx+eax*2+5Ah]
                                              push esi
                                              dec eax
                                              dec eax
                                              inc ebx
                                              inc esp
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xad8420x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x5c4.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xab3340x70.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xab8b40xaba008167149dc6a340fe1041bb04201ae6fbFalse0.9097607884195194data7.896114394358964IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xae0000x5c40x600307a2a9fec5d43bcd7e455e03742970eFalse0.42578125data4.111922568999861IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xb00000xc0x200f5930ee46e35125151ca985a972c87a5False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_VERSION0xae0900x334data0.42560975609756097
                                              RT_MANIFEST0xae3d40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                              2024-07-26T00:06:03.820057+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434974340.127.169.103192.168.2.4
                                              2024-07-26T00:05:25.683509+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973740.127.169.103192.168.2.4

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jul 26, 2024 00:05:07.720072031 CEST49732443192.168.2.4104.26.12.205
                                              Jul 26, 2024 00:05:07.720113039 CEST44349732104.26.12.205192.168.2.4
                                              Jul 26, 2024 00:05:07.720181942 CEST49732443192.168.2.4104.26.12.205
                                              Jul 26, 2024 00:05:07.727714062 CEST49732443192.168.2.4104.26.12.205
                                              Jul 26, 2024 00:05:07.727729082 CEST44349732104.26.12.205192.168.2.4
                                              Jul 26, 2024 00:05:08.196845055 CEST44349732104.26.12.205192.168.2.4
                                              Jul 26, 2024 00:05:08.198476076 CEST49732443192.168.2.4104.26.12.205
                                              Jul 26, 2024 00:05:08.201055050 CEST49732443192.168.2.4104.26.12.205
                                              Jul 26, 2024 00:05:08.201076031 CEST44349732104.26.12.205192.168.2.4
                                              Jul 26, 2024 00:05:08.201395035 CEST44349732104.26.12.205192.168.2.4
                                              Jul 26, 2024 00:05:08.242806911 CEST49732443192.168.2.4104.26.12.205
                                              Jul 26, 2024 00:05:08.257642984 CEST49732443192.168.2.4104.26.12.205
                                              Jul 26, 2024 00:05:08.304506063 CEST44349732104.26.12.205192.168.2.4
                                              Jul 26, 2024 00:05:08.366592884 CEST44349732104.26.12.205192.168.2.4
                                              Jul 26, 2024 00:05:08.366657972 CEST44349732104.26.12.205192.168.2.4
                                              Jul 26, 2024 00:05:08.366731882 CEST49732443192.168.2.4104.26.12.205
                                              Jul 26, 2024 00:05:08.387226105 CEST49732443192.168.2.4104.26.12.205
                                              Jul 26, 2024 00:05:09.257731915 CEST49734587192.168.2.4208.91.199.225
                                              Jul 26, 2024 00:05:09.263462067 CEST58749734208.91.199.225192.168.2.4
                                              Jul 26, 2024 00:05:09.263542891 CEST49734587192.168.2.4208.91.199.225
                                              Jul 26, 2024 00:05:30.667756081 CEST58749734208.91.199.225192.168.2.4
                                              Jul 26, 2024 00:05:30.667970896 CEST49734587192.168.2.4208.91.199.225
                                              Jul 26, 2024 00:05:30.672717094 CEST49734587192.168.2.4208.91.199.225
                                              Jul 26, 2024 00:05:30.680454016 CEST58749734208.91.199.225192.168.2.4

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jul 26, 2024 00:05:07.702933073 CEST5420553192.168.2.41.1.1.1
                                              Jul 26, 2024 00:05:07.714070082 CEST53542051.1.1.1192.168.2.4
                                              Jul 26, 2024 00:05:08.931281090 CEST5474553192.168.2.41.1.1.1
                                              Jul 26, 2024 00:05:09.256177902 CEST53547451.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jul 26, 2024 00:05:07.702933073 CEST192.168.2.41.1.1.10x512aStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                              Jul 26, 2024 00:05:08.931281090 CEST192.168.2.41.1.1.10x497dStandard query (0)smtp.flying-fish-cn.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jul 26, 2024 00:05:07.714070082 CEST1.1.1.1192.168.2.40x512aNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                              Jul 26, 2024 00:05:07.714070082 CEST1.1.1.1192.168.2.40x512aNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                              Jul 26, 2024 00:05:07.714070082 CEST1.1.1.1192.168.2.40x512aNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                              Jul 26, 2024 00:05:09.256177902 CEST1.1.1.1192.168.2.40x497dNo error (0)smtp.flying-fish-cn.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 26, 2024 00:05:09.256177902 CEST1.1.1.1192.168.2.40x497dNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                              Jul 26, 2024 00:05:09.256177902 CEST1.1.1.1192.168.2.40x497dNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                              Jul 26, 2024 00:05:09.256177902 CEST1.1.1.1192.168.2.40x497dNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                              Jul 26, 2024 00:05:09.256177902 CEST1.1.1.1192.168.2.40x497dNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • api.ipify.org

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449732104.26.12.2054437468C:\Users\user\Desktop\LisectAVT_2403002A_124.exe
                                              TimestampBytes transferredDirectionData
                                              2024-07-25 22:05:08 UTC155OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                              Host: api.ipify.org
                                              Connection: Keep-Alive
                                              2024-07-25 22:05:08 UTC211INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 22:05:08 GMT
                                              Content-Type: text/plain
                                              Content-Length: 11
                                              Connection: close
                                              Vary: Origin
                                              CF-Cache-Status: DYNAMIC
                                              Server: cloudflare
                                              CF-RAY: 8a8f731ee853432b-EWR
                                              2024-07-25 22:05:08 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                              Data Ascii: 8.46.123.33


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:18:05:03
                                              Start date:25/07/2024
                                              Path:C:\Users\user\Desktop\LisectAVT_2403002A_124.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_124.exe"
                                              Imagebase:0x2f0000
                                              File size:705'542 bytes
                                              MD5 hash:1E6FE7E9DD5292AC6ED4C77D742DA69B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1707848434.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1707848434.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1707848434.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1707848434.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:18:05:06
                                              Start date:25/07/2024
                                              Path:C:\Users\user\Desktop\LisectAVT_2403002A_124.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_124.exe"
                                              Imagebase:0xee0000
                                              File size:705'542 bytes
                                              MD5 hash:1E6FE7E9DD5292AC6ED4C77D742DA69B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2912873981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2912873981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2914893392.0000000003341000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2914893392.0000000003341000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2914893392.0000000003367000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:9.3%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:174
                                                Total number of Limit Nodes:6
                                                execution_graph 32967 70a7168 32968 70a72f3 32967->32968 32969 70a718e 32967->32969 32969->32968 32971 70a32f0 32969->32971 32972 70a73e8 PostMessageW 32971->32972 32973 70a7454 32972->32973 32973->32969 32930 4d54040 32931 4d54082 32930->32931 32933 4d54089 32930->32933 32932 4d540da CallWindowProcW 32931->32932 32931->32933 32932->32933 32760 70a51cc 32762 70a51d2 32760->32762 32761 70a517d 32762->32761 32766 70a5f28 32762->32766 32780 70a5f8e 32762->32780 32795 70a5f19 32762->32795 32767 70a5f42 32766->32767 32768 70a5f4a 32767->32768 32809 70a64cb 32767->32809 32814 70a6c30 32767->32814 32819 70a66fc 32767->32819 32823 70a633e 32767->32823 32827 70a6d1e 32767->32827 32831 70a63f9 32767->32831 32836 70a685a 32767->32836 32840 70a695a 32767->32840 32844 70a644d 32767->32844 32848 70a676d 32767->32848 32854 70a6808 32767->32854 32768->32762 32781 70a5f1c 32780->32781 32783 70a5f91 32780->32783 32782 70a5f4a 32781->32782 32784 70a64cb 2 API calls 32781->32784 32785 70a6808 4 API calls 32781->32785 32786 70a676d 2 API calls 32781->32786 32787 70a644d 2 API calls 32781->32787 32788 70a695a 2 API calls 32781->32788 32789 70a685a 2 API calls 32781->32789 32790 70a63f9 2 API calls 32781->32790 32791 70a6d1e 2 API calls 32781->32791 32792 70a633e 2 API calls 32781->32792 32793 70a66fc 2 API calls 32781->32793 32794 70a6c30 2 API calls 32781->32794 32782->32762 32783->32762 32784->32782 32785->32782 32786->32782 32787->32782 32788->32782 32789->32782 32790->32782 32791->32782 32792->32782 32793->32782 32794->32782 32796 70a5f28 32795->32796 32797 70a5f4a 32796->32797 32798 70a64cb 2 API calls 32796->32798 32799 70a6808 4 API calls 32796->32799 32800 70a676d 2 API calls 32796->32800 32801 70a644d 2 API calls 32796->32801 32802 70a695a 2 API calls 32796->32802 32803 70a685a 2 API calls 32796->32803 32804 70a63f9 2 API calls 32796->32804 32805 70a6d1e 2 API calls 32796->32805 32806 70a633e 2 API calls 32796->32806 32807 70a66fc 2 API calls 32796->32807 32808 70a6c30 2 API calls 32796->32808 32797->32762 32798->32797 32799->32797 32800->32797 32801->32797 32802->32797 32803->32797 32804->32797 32805->32797 32806->32797 32807->32797 32808->32797 32810 70a6938 32809->32810 32861 70a49e9 32810->32861 32865 70a49f0 32810->32865 32811 70a6d4f 32815 70a6c36 32814->32815 32817 70a49e9 WriteProcessMemory 32815->32817 32818 70a49f0 WriteProcessMemory 32815->32818 32816 70a6c68 32817->32816 32818->32816 32869 70a4ad8 32819->32869 32873 70a4ae0 32819->32873 32820 70a671e 32877 70a4c78 32823->32877 32881 70a4c6d 32823->32881 32828 70a6d4f 32827->32828 32829 70a49e9 WriteProcessMemory 32827->32829 32830 70a49f0 WriteProcessMemory 32827->32830 32829->32828 32830->32828 32832 70a6418 32831->32832 32885 70a436a 32832->32885 32889 70a4370 32832->32889 32833 70a642d 32833->32768 32893 70a4858 32836->32893 32897 70a4850 32836->32897 32837 70a657a 32837->32768 32842 70a49e9 WriteProcessMemory 32840->32842 32843 70a49f0 WriteProcessMemory 32840->32843 32841 70a6988 32842->32841 32843->32841 32846 70a4858 Wow64SetThreadContext 32844->32846 32847 70a4850 Wow64SetThreadContext 32844->32847 32845 70a6467 32845->32768 32846->32845 32847->32845 32849 70a6418 32848->32849 32850 70a6ca7 32849->32850 32852 70a436a ResumeThread 32849->32852 32853 70a4370 ResumeThread 32849->32853 32851 70a642d 32851->32768 32852->32851 32853->32851 32901 70a4929 32854->32901 32905 70a4930 32854->32905 32855 70a6826 32859 70a49e9 WriteProcessMemory 32855->32859 32860 70a49f0 WriteProcessMemory 32855->32860 32856 70a6c68 32859->32856 32860->32856 32862 70a49f0 WriteProcessMemory 32861->32862 32864 70a4a8f 32862->32864 32864->32811 32866 70a4a38 WriteProcessMemory 32865->32866 32868 70a4a8f 32866->32868 32868->32811 32870 70a4b2b ReadProcessMemory 32869->32870 32872 70a4b6f 32870->32872 32872->32820 32874 70a4b2b ReadProcessMemory 32873->32874 32876 70a4b6f 32874->32876 32876->32820 32878 70a4d01 32877->32878 32878->32878 32879 70a4e66 CreateProcessA 32878->32879 32880 70a4ec3 32879->32880 32882 70a4c78 CreateProcessA 32881->32882 32884 70a4ec3 32882->32884 32886 70a4370 ResumeThread 32885->32886 32888 70a43e1 32886->32888 32888->32833 32890 70a43b0 ResumeThread 32889->32890 32892 70a43e1 32890->32892 32892->32833 32894 70a489d Wow64SetThreadContext 32893->32894 32896 70a48e5 32894->32896 32896->32837 32898 70a489d Wow64SetThreadContext 32897->32898 32900 70a48e5 32898->32900 32900->32837 32902 70a4930 VirtualAllocEx 32901->32902 32904 70a49ad 32902->32904 32904->32855 32906 70a4970 VirtualAllocEx 32905->32906 32908 70a49ad 32906->32908 32908->32855 32909 26f4668 32910 26f467a 32909->32910 32911 26f4686 32910->32911 32913 26f4778 32910->32913 32914 26f479d 32913->32914 32918 26f4879 32914->32918 32922 26f4888 32914->32922 32920 26f4888 32918->32920 32919 26f498c 32919->32919 32920->32919 32926 26f44b4 32920->32926 32924 26f48af 32922->32924 32923 26f498c 32924->32923 32925 26f44b4 CreateActCtxA 32924->32925 32925->32923 32927 26f5918 CreateActCtxA 32926->32927 32929 26f59db 32927->32929 32929->32929 32934 26facf0 32935 26facf2 32934->32935 32939 26fade8 32935->32939 32947 26fadd7 32935->32947 32936 26facff 32940 26fadf9 32939->32940 32941 26fae1c 32939->32941 32940->32941 32955 26fb071 32940->32955 32959 26fb080 32940->32959 32941->32936 32942 26fae14 32942->32941 32943 26fb020 GetModuleHandleW 32942->32943 32944 26fb04d 32943->32944 32944->32936 32948 26fade8 32947->32948 32950 26fae1c 32948->32950 32953 26fb071 LoadLibraryExW 32948->32953 32954 26fb080 LoadLibraryExW 32948->32954 32949 26fae14 32949->32950 32951 26fb020 GetModuleHandleW 32949->32951 32950->32936 32952 26fb04d 32951->32952 32952->32936 32953->32949 32954->32949 32956 26fb080 32955->32956 32958 26fb0b9 32956->32958 32963 26fa170 32956->32963 32958->32942 32960 26fb094 32959->32960 32961 26fb0b9 32960->32961 32962 26fa170 LoadLibraryExW 32960->32962 32961->32942 32962->32961 32964 26fb260 LoadLibraryExW 32963->32964 32966 26fb2d9 32964->32966 32966->32958 32974 26fd080 32975 26fd0c6 32974->32975 32979 26fd668 32975->32979 32982 26fd658 32975->32982 32976 26fd1b3 32986 26fd2bc 32979->32986 32983 26fd668 32982->32983 32984 26fd2bc DuplicateHandle 32983->32984 32985 26fd696 32984->32985 32985->32976 32987 26fd6d0 DuplicateHandle 32986->32987 32988 26fd696 32987->32988 32988->32976

                                                Executed Functions

                                                Function 04D574BB Relevance: 1.1, Instructions: 1090COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1709450480.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4d50000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 549f8bdfa65b60528b23a0e830b593f81d1bd092039940b0be523d28e7318a6b
                                                • Instruction ID: 431a1fcf49fe30039f79f1deb7e82929fddc5a8fbb67983c5b881bd5a97af8e7
                                                • Opcode Fuzzy Hash: 549f8bdfa65b60528b23a0e830b593f81d1bd092039940b0be523d28e7318a6b
                                                • Instruction Fuzzy Hash: F4C2D534A11218CFDB55DF68C894AD9B7B2FF8A304F1141E9E909AB365DB31AE85CF40
                                                Function 070A63E6 Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9a2a029bd6a9bd84a71d290d5acfca6022e509fafbec91a54239451781644aa6
                                                • Instruction ID: ffe599928ccd109a4fafcd8adb5c4cb3dc222a598ac7ab5fce7a666c5c9121c4
                                                • Opcode Fuzzy Hash: 9a2a029bd6a9bd84a71d290d5acfca6022e509fafbec91a54239451781644aa6
                                                • Instruction Fuzzy Hash: 50C08095D9F054F6C91119C458000FDF73C95870A1F0C3252D22E63002410243340155
                                                Function 070A4C6D Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 501 70a4c6d-70a4d0d 504 70a4d0f-70a4d19 501->504 505 70a4d46-70a4d66 501->505 504->505 506 70a4d1b-70a4d1d 504->506 512 70a4d68-70a4d72 505->512 513 70a4d9f-70a4dce 505->513 507 70a4d1f-70a4d29 506->507 508 70a4d40-70a4d43 506->508 510 70a4d2b 507->510 511 70a4d2d-70a4d3c 507->511 508->505 510->511 511->511 514 70a4d3e 511->514 512->513 515 70a4d74-70a4d76 512->515 519 70a4dd0-70a4dda 513->519 520 70a4e07-70a4ec1 CreateProcessA 513->520 514->508 517 70a4d78-70a4d82 515->517 518 70a4d99-70a4d9c 515->518 521 70a4d86-70a4d95 517->521 522 70a4d84 517->522 518->513 519->520 524 70a4ddc-70a4dde 519->524 533 70a4eca-70a4f50 520->533 534 70a4ec3-70a4ec9 520->534 521->521 523 70a4d97 521->523 522->521 523->518 525 70a4de0-70a4dea 524->525 526 70a4e01-70a4e04 524->526 528 70a4dee-70a4dfd 525->528 529 70a4dec 525->529 526->520 528->528 531 70a4dff 528->531 529->528 531->526 544 70a4f52-70a4f56 533->544 545 70a4f60-70a4f64 533->545 534->533 544->545 546 70a4f58 544->546 547 70a4f66-70a4f6a 545->547 548 70a4f74-70a4f78 545->548 546->545 547->548 549 70a4f6c 547->549 550 70a4f7a-70a4f7e 548->550 551 70a4f88-70a4f8c 548->551 549->548 550->551 552 70a4f80 550->552 553 70a4f9e-70a4fa5 551->553 554 70a4f8e-70a4f94 551->554 552->551 555 70a4fbc 553->555 556 70a4fa7-70a4fb6 553->556 554->553 558 70a4fbd 555->558 556->555 558->558
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070A4EAE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 77279826648b4bdce1bf9ab6c6fd40703c777944cd552385956f4312b62a4e9f
                                                • Instruction ID: 7600abd61a7bb2a2d5603279d569b3b56862074763dfd489f10fd6fec89214a7
                                                • Opcode Fuzzy Hash: 77279826648b4bdce1bf9ab6c6fd40703c777944cd552385956f4312b62a4e9f
                                                • Instruction Fuzzy Hash: A6A16BB5D0025ADFDB50CFA8C8417EDBBF2BF48314F1482A9E809A7250DBB49985CF91
                                                Function 070A4C78 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 559 70a4c78-70a4d0d 561 70a4d0f-70a4d19 559->561 562 70a4d46-70a4d66 559->562 561->562 563 70a4d1b-70a4d1d 561->563 569 70a4d68-70a4d72 562->569 570 70a4d9f-70a4dce 562->570 564 70a4d1f-70a4d29 563->564 565 70a4d40-70a4d43 563->565 567 70a4d2b 564->567 568 70a4d2d-70a4d3c 564->568 565->562 567->568 568->568 571 70a4d3e 568->571 569->570 572 70a4d74-70a4d76 569->572 576 70a4dd0-70a4dda 570->576 577 70a4e07-70a4ec1 CreateProcessA 570->577 571->565 574 70a4d78-70a4d82 572->574 575 70a4d99-70a4d9c 572->575 578 70a4d86-70a4d95 574->578 579 70a4d84 574->579 575->570 576->577 581 70a4ddc-70a4dde 576->581 590 70a4eca-70a4f50 577->590 591 70a4ec3-70a4ec9 577->591 578->578 580 70a4d97 578->580 579->578 580->575 582 70a4de0-70a4dea 581->582 583 70a4e01-70a4e04 581->583 585 70a4dee-70a4dfd 582->585 586 70a4dec 582->586 583->577 585->585 588 70a4dff 585->588 586->585 588->583 601 70a4f52-70a4f56 590->601 602 70a4f60-70a4f64 590->602 591->590 601->602 603 70a4f58 601->603 604 70a4f66-70a4f6a 602->604 605 70a4f74-70a4f78 602->605 603->602 604->605 606 70a4f6c 604->606 607 70a4f7a-70a4f7e 605->607 608 70a4f88-70a4f8c 605->608 606->605 607->608 609 70a4f80 607->609 610 70a4f9e-70a4fa5 608->610 611 70a4f8e-70a4f94 608->611 609->608 612 70a4fbc 610->612 613 70a4fa7-70a4fb6 610->613 611->610 615 70a4fbd 612->615 613->612 615->615
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070A4EAE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 7caaf99a821baf55cb1beb8cc40620ed357f1c28fa3c843a453277d5ac969cba
                                                • Instruction ID: c22af762174316748e52dddd0008c6816f4196bc30e7616dee941432cd4ec49f
                                                • Opcode Fuzzy Hash: 7caaf99a821baf55cb1beb8cc40620ed357f1c28fa3c843a453277d5ac969cba
                                                • Instruction Fuzzy Hash: A8915BB5D0025ADFDB50CFA8C8417DDBBF2BF48314F1486A9E808A7254DBB49985CF91
                                                Function 026FADE8 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 616 26fade8-26fadf7 617 26fadf9-26fae06 call 26fa10c 616->617 618 26fae23-26fae27 616->618 624 26fae1c 617->624 625 26fae08 617->625 620 26fae3b-26fae7c 618->620 621 26fae29-26fae33 618->621 627 26fae7e-26fae86 620->627 628 26fae89-26fae97 620->628 621->620 624->618 673 26fae0e call 26fb071 625->673 674 26fae0e call 26fb080 625->674 627->628 629 26faebb-26faebd 628->629 630 26fae99-26fae9e 628->630 635 26faec0-26faec7 629->635 632 26faea9 630->632 633 26faea0-26faea7 call 26fa118 630->633 631 26fae14-26fae16 631->624 634 26faf58-26faf6f 631->634 637 26faeab-26faeb9 632->637 633->637 649 26faf71-26fafd0 634->649 638 26faec9-26faed1 635->638 639 26faed4-26faedb 635->639 637->635 638->639 642 26faedd-26faee5 639->642 643 26faee8-26faeea call 26fa128 639->643 642->643 645 26faeef-26faef1 643->645 647 26faefe-26faf03 645->647 648 26faef3-26faefb 645->648 650 26faf05-26faf0c 647->650 651 26faf21-26faf2e 647->651 648->647 667 26fafd2-26fb018 649->667 650->651 652 26faf0e-26faf1e call 26fa138 call 26fa148 650->652 658 26faf51-26faf57 651->658 659 26faf30-26faf4e 651->659 652->651 659->658 668 26fb01a-26fb01d 667->668 669 26fb020-26fb04b GetModuleHandleW 667->669 668->669 670 26fb04d-26fb053 669->670 671 26fb054-26fb068 669->671 670->671 673->631 674->631
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 026FB03E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707237070.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_26f0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: df3cba09e99db3271da695cc2b9bec4a3002df1eb0d6e65640f9c242c29b8664
                                                • Instruction ID: ca46b5e611f1edc3ed49a414d84c445ed579883e7f5315417fb629e6a863a56f
                                                • Opcode Fuzzy Hash: df3cba09e99db3271da695cc2b9bec4a3002df1eb0d6e65640f9c242c29b8664
                                                • Instruction Fuzzy Hash: 43713270A00B058FDB64DF69D44475ABBF1FF88304F008A2DD58A9BB50E735E84ACB94
                                                Function 026F590C Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 783 26f590c-26f5916 784 26f5918-26f59d9 CreateActCtxA 783->784 786 26f59db-26f59e1 784->786 787 26f59e2-26f5a3c 784->787 786->787 794 26f5a3e-26f5a41 787->794 795 26f5a4b-26f5a4f 787->795 794->795 796 26f5a51-26f5a5d 795->796 797 26f5a60 795->797 796->797 799 26f5a61 797->799 799->799
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 026F59C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707237070.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_26f0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 5c87529c088e85c8ba28306a068d0a552d9374979dffb15e7c3b0da6aab7d71f
                                                • Instruction ID: 4938844ebb0371442a97a8e5a9643857474da3672d9504fd306fbeb7554748ae
                                                • Opcode Fuzzy Hash: 5c87529c088e85c8ba28306a068d0a552d9374979dffb15e7c3b0da6aab7d71f
                                                • Instruction Fuzzy Hash: 4141F2B0D00719CBDB24CFA9C9847DEBBB5BF48304F20806AD509AB255DB75698ACF90
                                                Function 026F44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 800 26f44b4-26f59d9 CreateActCtxA 803 26f59db-26f59e1 800->803 804 26f59e2-26f5a3c 800->804 803->804 811 26f5a3e-26f5a41 804->811 812 26f5a4b-26f5a4f 804->812 811->812 813 26f5a51-26f5a5d 812->813 814 26f5a60 812->814 813->814 816 26f5a61 814->816 816->816
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 026F59C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707237070.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_26f0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: b36b25f77a0aae2c4f72d0301a35688678b38cc2d5d80594bab052a9ef8906c9
                                                • Instruction ID: 461ec883da80b42e6cd3ef783f2d31f4252571761a3c1f19d0d4e86d3389bb7f
                                                • Opcode Fuzzy Hash: b36b25f77a0aae2c4f72d0301a35688678b38cc2d5d80594bab052a9ef8906c9
                                                • Instruction Fuzzy Hash: B441F1B0D00719CBDB24DFA9C884BDEBBB5BF48304F20806AD509AB255DB756945CF90
                                                Function 04D54040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 817 4d54040-4d5407c 818 4d54082-4d54087 817->818 819 4d5412c-4d5414c 817->819 820 4d54089-4d540c0 818->820 821 4d540da-4d54112 CallWindowProcW 818->821 825 4d5414f-4d5415c 819->825 828 4d540c2-4d540c8 820->828 829 4d540c9-4d540d8 820->829 822 4d54114-4d5411a 821->822 823 4d5411b-4d5412a 821->823 822->823 823->825 828->829 829->825
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 04D54101
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1709450480.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4d50000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: 54d80e90fb68e6c46868caaa5c52d372a3a06498c38b14cd06f5be0deb4001e1
                                                • Instruction ID: 32c11c462ef919857e9d267a554f826e6b86569e43f945011abab488ca29b095
                                                • Opcode Fuzzy Hash: 54d80e90fb68e6c46868caaa5c52d372a3a06498c38b14cd06f5be0deb4001e1
                                                • Instruction Fuzzy Hash: 78411AB8A00315DFDB14DF99C448B9ABBF5FB88314F24C459D519AB321D774A841CFA1
                                                Function 070A49E9 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 831 70a49e9-70a4a3e 834 70a4a4e-70a4a8d WriteProcessMemory 831->834 835 70a4a40-70a4a4c 831->835 837 70a4a8f-70a4a95 834->837 838 70a4a96-70a4ac6 834->838 835->834 837->838
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070A4A80
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 72272ad4ee1578fde9ca04f6c4bc55356ba709b45e6c1fce35fcc9bfcacf5b0f
                                                • Instruction ID: b46ab4ea93942a06037cc9530c36d028c38b47dce15d93ca976ca923fa8cd67e
                                                • Opcode Fuzzy Hash: 72272ad4ee1578fde9ca04f6c4bc55356ba709b45e6c1fce35fcc9bfcacf5b0f
                                                • Instruction Fuzzy Hash: 102148B5900359DFCB10CFA9C885BEEBBF4FF48310F108429E959A7251D7789944CBA4
                                                Function 070A49F0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070A4A80
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 6845b2506ebe24a9051347906b3b5971f53a2ad24e1b0603e778a1b85ed3fe19
                                                • Instruction ID: 1dcfca67cfabb97ce6cdbe260d5bb20df46cfb58b5bb5ed999de6469eca374cd
                                                • Opcode Fuzzy Hash: 6845b2506ebe24a9051347906b3b5971f53a2ad24e1b0603e778a1b85ed3fe19
                                                • Instruction Fuzzy Hash: 9F2127B59003599FCB10CFA9C885BDEBBF5FF48310F108429E959A7251D7789944CBA4
                                                Function 070A4AD8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070A4B60
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: b600641f6123248a1d23a609aac0ae2c9ccb2432126bf453e88a76e7df1c6d32
                                                • Instruction ID: e64e5a638f98173c715a727f067c0fc285b9af7f15ae0c5254158ab335feffa0
                                                • Opcode Fuzzy Hash: b600641f6123248a1d23a609aac0ae2c9ccb2432126bf453e88a76e7df1c6d32
                                                • Instruction Fuzzy Hash: C92125B1C003599FDB10DFA9C881BDEBBF5FF88320F108429E959A7251C7789940CBA0
                                                Function 070A4850 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070A48D6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 4dd1d59bb2f67dc20e6907df60d25a73ff1f731d2a025c83e4455bd1f1a7fe1b
                                                • Instruction ID: ac79d4d2bf330c20398622a73cdf8e76978656b99fe6403d766d93f6ff7f5bf6
                                                • Opcode Fuzzy Hash: 4dd1d59bb2f67dc20e6907df60d25a73ff1f731d2a025c83e4455bd1f1a7fe1b
                                                • Instruction Fuzzy Hash: 072157B5D003499FDB10DFAAC4857EEBBF4EF88324F10842AD459A7251C7789944CFA0
                                                Function 026FD2BC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026FD696,?,?,?,?,?), ref: 026FD757
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707237070.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_26f0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 45ba7382e5e5346b8bdbda986f274a7c0f18e5c2aadd699e6bc6cd8b96fde281
                                                • Instruction ID: e66290dad6f5f5801e7a43ec4346637960a4ec71e39bc614fa50b340c11b0d58
                                                • Opcode Fuzzy Hash: 45ba7382e5e5346b8bdbda986f274a7c0f18e5c2aadd699e6bc6cd8b96fde281
                                                • Instruction Fuzzy Hash: 9F21E3B5900249DFDB10CFAAD984ADEBBF5EB48310F14842AE918A7310D378A944CFA5
                                                Function 070A4AE0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070A4B60
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 147157ce6173cea04a1264cdd50b8f0e4df718cc01c7f2a8e08660ccb90c2a10
                                                • Instruction ID: f8c28db0d96fcd9a23dbf1d1fd390248ffb4710bfbd0e8e0f5d4dd04c80a9047
                                                • Opcode Fuzzy Hash: 147157ce6173cea04a1264cdd50b8f0e4df718cc01c7f2a8e08660ccb90c2a10
                                                • Instruction Fuzzy Hash: 8721E5B19003599FDB10DFAAC885ADEBBF5FF48320F108429E559A7250C7789544CBA4
                                                Function 070A4858 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070A48D6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 4c4b83a727a7e4524c15666a048c565e41c2b32aa5076fb42cb9b0f4529ce6d2
                                                • Instruction ID: 273987fb706fad6722ccc87a909df52e20cf97b7dba0f2a4d8daed636da43a15
                                                • Opcode Fuzzy Hash: 4c4b83a727a7e4524c15666a048c565e41c2b32aa5076fb42cb9b0f4529ce6d2
                                                • Instruction Fuzzy Hash: 922147B5D003499FDB10DFAAC4857EEBBF4EF48320F10842AE459A7240CB78A944CFA4
                                                Function 026FD6CF Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026FD696,?,?,?,?,?), ref: 026FD757
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707237070.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_26f0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: c8c1e3dd40870f7ed308cdd1192f5018e7c635e3ec50b7fd67f63c2c096f7e33
                                                • Instruction ID: 1c0b0577fe67ef8b002d5293c4f78a46943e3e9bf3182329197ad884a46a82bd
                                                • Opcode Fuzzy Hash: c8c1e3dd40870f7ed308cdd1192f5018e7c635e3ec50b7fd67f63c2c096f7e33
                                                • Instruction Fuzzy Hash: 4621C2B59002599FDB10CFAAD984ADEBFF4EB48320F14841AE958A7350D378A944CFA5
                                                Function 070A4929 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070A499E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 4fc250ae589a440765d0a0d2b5926f33b15bedb2ae80ff7779d65edf6d8d765e
                                                • Instruction ID: 38fe8ac855442e995d15389489984b0c447a2f4d4c11cfb89373ba950a5763bd
                                                • Opcode Fuzzy Hash: 4fc250ae589a440765d0a0d2b5926f33b15bedb2ae80ff7779d65edf6d8d765e
                                                • Instruction Fuzzy Hash: 561159B6900249DFCB10DFA9D845BEEBFF5EF88324F208829E955A7250C7759550CFA0
                                                Function 026FB258 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,026FB0B9,00000800,00000000,00000000), ref: 026FB2CA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707237070.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_26f0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: a501fcebdf061011aa0e08125758b63409da195e13bae44109f002a58d3535e7
                                                • Instruction ID: af6276f8cfd3bec76832e3bd15bf90d2c1e2005b743a819951163cc00f694741
                                                • Opcode Fuzzy Hash: a501fcebdf061011aa0e08125758b63409da195e13bae44109f002a58d3535e7
                                                • Instruction Fuzzy Hash: FF1126B6D002498FDB10CFAAD984ADEFBF4EB88314F10842ED519A7610C375A545CFA4
                                                Function 026FA170 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,026FB0B9,00000800,00000000,00000000), ref: 026FB2CA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707237070.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_26f0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: e145886818827103234f628c06ad0212683e40ce251f509d0a02acb743a3416c
                                                • Instruction ID: b482823dc546c8fc0e87d1f926afe670ce58b728c63777b78030cc1376881bc5
                                                • Opcode Fuzzy Hash: e145886818827103234f628c06ad0212683e40ce251f509d0a02acb743a3416c
                                                • Instruction Fuzzy Hash: 721114B69002499FDB10CF9AC584AEEFBF4EB88314F10842AE519A7210C375A545CFA4
                                                Function 070A4930 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070A499E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 839e4705c642a69b47bac8b091d99431946ef49e04f8a48a4e3b6fd3bf77f838
                                                • Instruction ID: 10f801ad98c36f8ce57a3b498e6ec8df05355ceeb6035d97fcc322f313d0178e
                                                • Opcode Fuzzy Hash: 839e4705c642a69b47bac8b091d99431946ef49e04f8a48a4e3b6fd3bf77f838
                                                • Instruction Fuzzy Hash: 8B1137B59002499FCB10DFAAD844BDEBFF5EF88324F208819E555A7250C775A954CFA0
                                                Function 070A436A Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: edc2fee6eaf0df1491551b7a789e4b7fd370ddd352d4b2d8edcdf768eabf1d82
                                                • Instruction ID: 8be39c990a8713fd3e086d78f342f750942a2f56c9804d7b9a0dc743cf38f890
                                                • Opcode Fuzzy Hash: edc2fee6eaf0df1491551b7a789e4b7fd370ddd352d4b2d8edcdf768eabf1d82
                                                • Instruction Fuzzy Hash: 471149B5D043898FDB10DFAAC4457AEFBF4EB88320F248829D459A7250C7796544CF94
                                                Function 070A4370 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: f4e4e2d9b9748d02d42976b588035d50035ca7762a555c01486d95b0999b9f14
                                                • Instruction ID: c700dda207d82f26e97730f7938ac6778f490fe7080ca8e33d67f48cc5dfd9ae
                                                • Opcode Fuzzy Hash: f4e4e2d9b9748d02d42976b588035d50035ca7762a555c01486d95b0999b9f14
                                                • Instruction Fuzzy Hash: A1113AB5D003498FCB10DFAAC4457DEFBF4EB88324F208819D559A7250C779A544CF94
                                                Function 070A32F0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 070A7445
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 50f5f3e15b945a48cf6d542ce94327e9cb5bdaeddf325f85072c80f57e19cee6
                                                • Instruction ID: 0028f9eb2845068c6f99cc24d940ef4c7f4ccf82442a4cb06a5e45b1dc65354b
                                                • Opcode Fuzzy Hash: 50f5f3e15b945a48cf6d542ce94327e9cb5bdaeddf325f85072c80f57e19cee6
                                                • Instruction Fuzzy Hash: 5B1106B5900349DFDB10DF99C484BDEBFF8EB48314F109419E558A7210C3B5A944CFA5
                                                Function 026FAFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 026FB03E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707237070.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_26f0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 50266426f447c2dc5f67b2da96ae00ddc913456b55bd3fa9cdfb5694b578fa0a
                                                • Instruction ID: f3710d8d4d333fa6d480f99abb9c7cfccee008cd17ce8e1dd50d1e0694fa905b
                                                • Opcode Fuzzy Hash: 50266426f447c2dc5f67b2da96ae00ddc913456b55bd3fa9cdfb5694b578fa0a
                                                • Instruction Fuzzy Hash: 46110FB5C002898FCB10CF9AD444BDEFBF4AB88328F10842AD529A7610D379A545CFA5
                                                Function 070A73E0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 070A7445
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 9b4791a312aac5614a26ab2a7eff0dc5c513086322bd4c858d671cf6e0bdbed0
                                                • Instruction ID: b4b24467d1bbbc7ec2d6ea23bfc83a5a1613b3ea2a7d0b7b7f158a9f85a35f7a
                                                • Opcode Fuzzy Hash: 9b4791a312aac5614a26ab2a7eff0dc5c513086322bd4c858d671cf6e0bdbed0
                                                • Instruction Fuzzy Hash: 6B11F2B5800249DFDB10DF99D885BEEBBF4FB48324F10851AE959A7610C375A984CFA1
                                                Function 009AD3D8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1706220535.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_9ad000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 73fa8483ea76f392a13161b2f6d34c7f3af79be77967d4c435e0906ae34f064f
                                                • Instruction ID: 37275e432e491f5ecad42a2433d43761f238d7adf77e29e523b0b4d8ff13c2ef
                                                • Opcode Fuzzy Hash: 73fa8483ea76f392a13161b2f6d34c7f3af79be77967d4c435e0906ae34f064f
                                                • Instruction Fuzzy Hash: 23212871500204DFDB05DF14D9C4B26BFA9FB99314F20C569D90A4B6A6C33AE856C6E1
                                                Function 009AD4C4 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1706220535.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_9ad000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 443c7e9f840fade748852c34be7929d0e14459dd0c50f9eca083a5f74766e3db
                                                • Instruction ID: fc21290ea9bec511794af0fe54eedbe6c3847135a19448be8f6ea40970fc1e5e
                                                • Opcode Fuzzy Hash: 443c7e9f840fade748852c34be7929d0e14459dd0c50f9eca083a5f74766e3db
                                                • Instruction Fuzzy Hash: 8E213771904240DFDB05DF14D9C0B2BBFA5FB99318F24C569E80A0B65AC33AD856DBE1
                                                Function 009BD01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1706292030.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_9bd000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95246c67a7b5da18d3bac0699d33015ad3c8393a12dac4f9d965aa2ccf24aad2
                                                • Instruction ID: 5eff6271012947e322346a8c2fc41a748b55f44844b8e04e1cd5c654d0d9a7a9
                                                • Opcode Fuzzy Hash: 95246c67a7b5da18d3bac0699d33015ad3c8393a12dac4f9d965aa2ccf24aad2
                                                • Instruction Fuzzy Hash: 0F213471604200DFCB14EF14DAC4B66BFA5FB88324F20C96DD80A4B296D33AD847CA61
                                                Function 009BD1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1706292030.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_9bd000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14e28546ad21586912ab873dae38404080a5c8355eb4eb30b0f04df71d9dc531
                                                • Instruction ID: ea93431f941d49b82e0356b533e074c2fcd4ef6085636931c32b94a33f08b7a1
                                                • Opcode Fuzzy Hash: 14e28546ad21586912ab873dae38404080a5c8355eb4eb30b0f04df71d9dc531
                                                • Instruction Fuzzy Hash: FB212671504284EFDB05DF14DAC0B66BBA5FB84324F20CA6DE8194B296D33AD846CB61
                                                Function 009AD3D3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1706220535.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_9ad000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction ID: b99f834f181d4fdc14fc318b870899bb44c9e8d6191c00ae17c855b7a2f403b5
                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction Fuzzy Hash: 3D110676404240CFDB01CF00D5C4B16BFB1FB98314F24C2A9D80A0B666C33AD456CBD1
                                                Function 009AD4BF Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1706220535.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_9ad000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction ID: cdb6e66349bd41fe9d99d637cc1d5ab7286f59edce92ba2a5abbc769623f725a
                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction Fuzzy Hash: 5E11E676904280CFDB16CF14D5C4B16BF71FB94318F24C6A9EC4A0B65AC336D95ACBA1
                                                Function 009BD1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1706292030.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_9bd000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: da28b4c941d4d99fa20e95bf7a2a83fcb26e087ebb62c906ca85ddda078d49fc
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: 1D11BB75504284DFDB02CF10C6C4B55BFA1FB84324F24C6AAD8494B296C33AD80ACB61
                                                Function 009BD017 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1706292030.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_9bd000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: 6e729ddd3ef9c79037584ceac1ef4ade1cce5fb506a906f5b9ac18e27fb8d419
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: 0C11DD75504280CFCB11DF14D6C4B56FFA2FB84324F28C6AAD8094B656C33AD80ACBA2
                                                Function 009AD745 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1706220535.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_9ad000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6351c45df4594372af50cd7e1f052e29c2bd98ce86665f38bfcc2eb79c4074ea
                                                • Instruction ID: 10569c20de3ab2eda700ca3964f3c08c25a67451f59741af94e0683dcef4ee44
                                                • Opcode Fuzzy Hash: 6351c45df4594372af50cd7e1f052e29c2bd98ce86665f38bfcc2eb79c4074ea
                                                • Instruction Fuzzy Hash: 4101DBB100A3409AE7155E25CD88B67BFDCDF46324F18C92AED0A4E696D67DD840CAF1
                                                Function 009AD744 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1706220535.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_9ad000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5328d1a7bd7bb4792dfc16224ab0477f8aec41678872bf29839eff5bfe0f6196
                                                • Instruction ID: 4f660adeaffee2b59dfa27df4c99e5aeacb0c29c8af36976ea6777b97a06d842
                                                • Opcode Fuzzy Hash: 5328d1a7bd7bb4792dfc16224ab0477f8aec41678872bf29839eff5bfe0f6196
                                                • Instruction Fuzzy Hash: 92F062714053449AE7148E16C888B62FFACEB55734F18C45AED494E696C2799844CBB1

                                                Non-executed Functions

                                                Function 070A8DA8 Relevance: .4, Instructions: 398COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: abe36d8aeb4aaea69e1c48cefa7a070440de33f6f7f669dd89688103889ec9ae
                                                • Instruction ID: 9a594240f1dc015779d7dd5e7bbfa83c7eab1d7063e0ecb031f0c7c7c169fa91
                                                • Opcode Fuzzy Hash: abe36d8aeb4aaea69e1c48cefa7a070440de33f6f7f669dd89688103889ec9ae
                                                • Instruction Fuzzy Hash: DBE199B0B016059FDBAADBB5C450BAEB7F6AF89300F14856DD149DB3A0DB35E801CB51
                                                Function 070A1EA0 Relevance: .3, Instructions: 317COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cd154444ba9e75c3e7169524c05862f5d5c4b60571111b38373c5fa40da55c46
                                                • Instruction ID: 9eddb8d39fed40e83243df6c8bee52898e0713dcad3945aeb6f37658fa2b7a15
                                                • Opcode Fuzzy Hash: cd154444ba9e75c3e7169524c05862f5d5c4b60571111b38373c5fa40da55c46
                                                • Instruction Fuzzy Hash: CDE1F9B4E006599FCB14DFA9C5809AEFBB2FF89304F24C269E414AB356D730A941CF61
                                                Function 070A1A6A Relevance: .3, Instructions: 316COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d2cbe2a79efb9a651204769f3ad5f597941bfb757f0401dd1a3dc2dd98ead4e
                                                • Instruction ID: e149ad59bf7fa29769b56954a40cca1fdb26136f7f7626aa37e4a5df6890c90e
                                                • Opcode Fuzzy Hash: 8d2cbe2a79efb9a651204769f3ad5f597941bfb757f0401dd1a3dc2dd98ead4e
                                                • Instruction Fuzzy Hash: 25E1DBB4E012599FCB14DFA9C5809AEFBF6FF89304F248259E414AB356D730A941CFA1
                                                Function 04D50040 Relevance: .3, Instructions: 315COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1709450480.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4d50000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b140943f0810eaa12b7b6fa35b83b296f62ecde57eb5984426aa1eb3302b9016
                                                • Instruction ID: 6a8a640181adb1b48708c2d9b9781b368fe1bc8128242d786867db1742682daf
                                                • Opcode Fuzzy Hash: b140943f0810eaa12b7b6fa35b83b296f62ecde57eb5984426aa1eb3302b9016
                                                • Instruction Fuzzy Hash: 4B12A7B0C927468AD318CF6EE98D1897BB1BFC5318BD0CA09D1A12F2E5D7B4116ACF44
                                                Function 070A4420 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5d3d22149b16f4bffa5377fad7bc5c835f83c27b89cb7415966c250e3226ef12
                                                • Instruction ID: 994f7f93c337e7d400b7169a97487b15b0030b698688700e558d24802cb5cb6c
                                                • Opcode Fuzzy Hash: 5d3d22149b16f4bffa5377fad7bc5c835f83c27b89cb7415966c250e3226ef12
                                                • Instruction Fuzzy Hash: A5E1ECB4E002599FCB14DFA9D5809ADFBF2FF49304F248269E414AB356D770A941CF61
                                                Function 070A3B48 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb72c7aa03cc90cb55a5a108feb7ceee7a15bf12255c7fa126e295e11c6540ad
                                                • Instruction ID: 5a066671f9f99f27a06ead242ffdce4ff7063147596bb3c6dd8c7d5c5238abf5
                                                • Opcode Fuzzy Hash: fb72c7aa03cc90cb55a5a108feb7ceee7a15bf12255c7fa126e295e11c6540ad
                                                • Instruction Fuzzy Hash: 37E1E9B4E002599FCB14DFA9D5809AEFBF2FF89304F248269E415AB356D731A941CF60
                                                Function 070A22E8 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d9e100d3ce80c239a609279b9fe9ab210cdbc2e6c60baadde7c6e681240684ec
                                                • Instruction ID: 38a4fe19e966fe1d09711d52df33d52cd24398525d1a9f837aeaefb2c2b80ba9
                                                • Opcode Fuzzy Hash: d9e100d3ce80c239a609279b9fe9ab210cdbc2e6c60baadde7c6e681240684ec
                                                • Instruction Fuzzy Hash: 3BE1D8B4E012199FCB14DFA9D5809AEFBF2FF89304F248269E415AB356D730A941CF60
                                                Function 026FD5FC Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707237070.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_26f0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fa934748bb31103315e53103036cb135c511fe0669daaa521147794c33977f1b
                                                • Instruction ID: f32cbc015b7e1577521b44d34b4d4a7aa5982740009bf28551531a1cc7c7b98d
                                                • Opcode Fuzzy Hash: fa934748bb31103315e53103036cb135c511fe0669daaa521147794c33977f1b
                                                • Instruction Fuzzy Hash: 27A19F36E002058FCF15DFB4C88059EB7B2FF84304B25856AEA01AB7A5DB71E956CF80
                                                Function 04D50006 Relevance: .2, Instructions: 245COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1709450480.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4d50000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 138c847578627fb9ca8809df3eade23f6a346119657a8769a93fb895c1a9cde5
                                                • Instruction ID: 479fcc06f43705e1661567176fac69419d9bef782af4a519ac09ff7281172a04
                                                • Opcode Fuzzy Hash: 138c847578627fb9ca8809df3eade23f6a346119657a8769a93fb895c1a9cde5
                                                • Instruction Fuzzy Hash: 7BC13BB0C827468FD718CF6EE9891897BB1FFC5314B908B09D1A16B2E1DBB4156ACF44
                                                Function 070A1EB0 Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711219603.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_70a0000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 86e301e24d2352941373fa3763213b4c1b3b6eec444c8c311a746af2e740a57d
                                                • Instruction ID: ddb212c7e381014644ded24cc44ea22c420382e55f55d1a101f49a2abaee5067
                                                • Opcode Fuzzy Hash: 86e301e24d2352941373fa3763213b4c1b3b6eec444c8c311a746af2e740a57d
                                                • Instruction Fuzzy Hash: 2A51FBB4E002198BCB14DFA9C5805AEFBF6FF89304F24C169D518A7316D731A941CF61

                                                Execution Graph

                                                Execution Coverage:12.1%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:17
                                                Total number of Limit Nodes:4
                                                execution_graph 29425 1900848 29427 190084e 29425->29427 29426 190091b 29427->29426 29429 1901382 29427->29429 29431 190138a 29429->29431 29430 1901484 29430->29427 29431->29430 29433 1907eb0 29431->29433 29434 1907eba 29433->29434 29435 1907ed4 29434->29435 29438 6f6fac0 29434->29438 29442 6f6fab1 29434->29442 29435->29431 29440 6f6fad1 29438->29440 29439 6f6fcea 29439->29435 29440->29439 29441 6f6fd10 GlobalMemoryStatusEx 29440->29441 29441->29440 29444 6f6fabf 29442->29444 29443 6f6fcea 29443->29435 29444->29443 29445 6f6fd10 GlobalMemoryStatusEx 29444->29445 29445->29444

                                                Executed Functions

                                                Function 06F6B2C0 Relevance: 8.3, Strings: 6, Instructions: 763COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                                                • API String ID: 0-1342094364
                                                • Opcode ID: d3dbc4caf1d98f794e149dfc456b7865b031c8b45e6dd0bb0c3ff4144e62b1ee
                                                • Instruction ID: 14a0df83b472898e36c6d577d2b4495eaa1f4ee6f4731e94fe29805ff0bdf69b
                                                • Opcode Fuzzy Hash: d3dbc4caf1d98f794e149dfc456b7865b031c8b45e6dd0bb0c3ff4144e62b1ee
                                                • Instruction Fuzzy Hash: BE529030E102098FDF64CB6AD5907AEB7B6FB85310F20892AE405EB395DB35DD91CB91
                                                Function 06F63138 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 414 6f63138-6f63159 415 6f6315b-6f6315e 414->415 416 6f63164-6f63183 415->416 417 6f638ff-6f63902 415->417 426 6f63185-6f63188 416->426 427 6f6319c-6f631a6 416->427 418 6f63904-6f63923 417->418 419 6f63928-6f6392a 417->419 418->419 421 6f63931-6f63934 419->421 422 6f6392c 419->422 421->415 423 6f6393a-6f63943 421->423 422->421 426->427 429 6f6318a-6f6319a 426->429 431 6f631ac-6f631bb 427->431 429->431 540 6f631bd call 6f63950 431->540 541 6f631bd call 6f63958 431->541 433 6f631c2-6f631c7 434 6f631d4-6f634b1 433->434 435 6f631c9-6f631cf 433->435 456 6f634b7-6f63566 434->456 457 6f638f1-6f638fe 434->457 435->423 466 6f6358f 456->466 467 6f63568-6f6358d 456->467 469 6f63598-6f635ab 466->469 467->469 471 6f635b1-6f635d3 469->471 472 6f638d8-6f638e4 469->472 471->472 475 6f635d9-6f635e3 471->475 472->456 473 6f638ea 472->473 473->457 475->472 476 6f635e9-6f635f4 475->476 476->472 477 6f635fa-6f636d0 476->477 489 6f636d2-6f636d4 477->489 490 6f636de-6f6370e 477->490 489->490 494 6f63710-6f63712 490->494 495 6f6371c-6f63728 490->495 494->495 496 6f6372a-6f6372e 495->496 497 6f63788-6f6378c 495->497 496->497 498 6f63730-6f6375a 496->498 499 6f63792-6f637ce 497->499 500 6f638c9-6f638d2 497->500 507 6f6375c-6f6375e 498->507 508 6f63768-6f63785 498->508 510 6f637d0-6f637d2 499->510 511 6f637dc-6f637ea 499->511 500->472 500->477 507->508 508->497 510->511 514 6f63801-6f6380c 511->514 515 6f637ec-6f637f7 511->515 518 6f63824-6f63835 514->518 519 6f6380e-6f63814 514->519 515->514 520 6f637f9 515->520 524 6f63837-6f6383d 518->524 525 6f6384d-6f63859 518->525 521 6f63816 519->521 522 6f63818-6f6381a 519->522 520->514 521->518 522->518 526 6f63841-6f63843 524->526 527 6f6383f 524->527 529 6f63871-6f638c2 525->529 530 6f6385b-6f63861 525->530 526->525 527->525 529->500 531 6f63865-6f63867 530->531 532 6f63863 530->532 531->529 532->529 540->433 541->433
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                                                • API String ID: 0-1342094364
                                                • Opcode ID: e9103f0c192db2126e49774a5d583395fb5dca5f0010e887e4911eec5699d1cd
                                                • Instruction ID: 8812aa0ad541a8e7d2394ae7497510cf6b7719fd7c70d8a5519f1824b49a02f1
                                                • Opcode Fuzzy Hash: e9103f0c192db2126e49774a5d583395fb5dca5f0010e887e4911eec5699d1cd
                                                • Instruction Fuzzy Hash: 19324C31E1071A8FDB14DF75D99459DB7B6FFC9300F2096A9E409AB264EB30A985CB80
                                                Function 06F67E18 Relevance: 3.0, Strings: 2, Instructions: 468COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 656 6f67e18-6f67e36 658 6f67e38-6f67e3b 656->658 659 6f67e5c-6f67e5f 658->659 660 6f67e3d-6f67e57 658->660 661 6f67e82-6f67e85 659->661 662 6f67e61-6f67e7d 659->662 660->659 664 6f67e87-6f67e91 661->664 665 6f67e92-6f67e95 661->665 662->661 667 6f67e97-6f67ea5 665->667 668 6f67eac-6f67eae 665->668 672 6f67ebe-6f67ed4 667->672 675 6f67ea7 667->675 669 6f67eb5-6f67eb8 668->669 670 6f67eb0 668->670 669->658 669->672 670->669 677 6f680ef-6f680f9 672->677 678 6f67eda-6f67ee3 672->678 675->668 679 6f680fa-6f6812f 678->679 680 6f67ee9-6f67f06 678->680 688 6f68131-6f68134 679->688 686 6f680dc-6f680e9 680->686 687 6f67f0c-6f67f34 680->687 686->677 686->678 687->686 703 6f67f3a-6f67f43 687->703 689 6f681e7-6f681ea 688->689 690 6f6813a-6f68146 688->690 691 6f68416-6f68419 689->691 692 6f681f0-6f681ff 689->692 694 6f68151-6f68153 690->694 695 6f6843c-6f6843e 691->695 696 6f6841b-6f68437 691->696 704 6f68201-6f6821c 692->704 705 6f6821e-6f68259 692->705 699 6f68155-6f6815b 694->699 700 6f6816b-6f68172 694->700 701 6f68445-6f68448 695->701 702 6f68440 695->702 696->695 706 6f6815f-6f68161 699->706 707 6f6815d 699->707 708 6f68174-6f68181 700->708 709 6f68183 700->709 701->688 711 6f6844e-6f68457 701->711 702->701 703->679 712 6f67f49-6f67f65 703->712 704->705 720 6f6825f-6f68270 705->720 721 6f683ea-6f68400 705->721 706->700 707->700 713 6f68188-6f6818a 708->713 709->713 723 6f680ca-6f680d6 712->723 724 6f67f6b-6f67f95 712->724 715 6f681a1-6f681da 713->715 716 6f6818c-6f6818f 713->716 715->692 743 6f681dc-6f681e6 715->743 716->711 731 6f68276-6f68293 720->731 732 6f683d5-6f683e4 720->732 721->691 723->686 723->703 741 6f680c0-6f680c5 724->741 742 6f67f9b-6f67fc3 724->742 731->732 740 6f68299-6f6838f call 6f66640 731->740 732->720 732->721 792 6f68391-6f6839b 740->792 793 6f6839d 740->793 741->723 742->741 749 6f67fc9-6f67ff7 742->749 749->741 754 6f67ffd-6f68006 749->754 754->741 756 6f6800c-6f6803e 754->756 764 6f68040-6f68044 756->764 765 6f68049-6f68065 756->765 764->741 766 6f68046 764->766 765->723 767 6f68067-6f680be call 6f66640 765->767 766->765 767->723 794 6f683a2-6f683a4 792->794 793->794 794->732 795 6f683a6-6f683ab 794->795 796 6f683ad-6f683b7 795->796 797 6f683b9 795->797 798 6f683be-6f683c0 796->798 797->798 798->732 799 6f683c2-6f683ce 798->799 799->732
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq
                                                • API String ID: 0-3550614674
                                                • Opcode ID: 2a2f8dc9306ff44927ae208cf8c1ebb875e766a7827e4bde3f47df0a77e38faf
                                                • Instruction ID: cf4d248c534eaed68113aae217de0e6c354ae47b82eda2cc42f9efd28228563c
                                                • Opcode Fuzzy Hash: 2a2f8dc9306ff44927ae208cf8c1ebb875e766a7827e4bde3f47df0a77e38faf
                                                • Instruction Fuzzy Hash: A202BC30F002058FDB54DB66D550AAEB7F6FF84350F248968E4269B3A4DB35EC86CB90
                                                Function 06F66690 Relevance: .8, Instructions: 816COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7f8c75081f748c011cf69d017ec45bed1d7dca8998a7c8654ac84e3ee0b3c743
                                                • Instruction ID: 0eebbb11e7e71295505298308d993b25703f58541f722b04f35e1a18baaca414
                                                • Opcode Fuzzy Hash: 7f8c75081f748c011cf69d017ec45bed1d7dca8998a7c8654ac84e3ee0b3c743
                                                • Instruction Fuzzy Hash: 1462BF30F002059FDB54DB69D654AADB7F6EF88314F148469E806EB3A4DB35EC41CB91
                                                Function 06F6C208 Relevance: .6, Instructions: 627COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 879c64c6b21349633436f952896e2e187ecc1fde0c3ff82a5b9e27e669feb595
                                                • Instruction ID: e4a587ce91a1f5550338c5a2284615f38c022f4a4ead61e78408a9669230aa1a
                                                • Opcode Fuzzy Hash: 879c64c6b21349633436f952896e2e187ecc1fde0c3ff82a5b9e27e669feb595
                                                • Instruction Fuzzy Hash: 4D326D34F102098FDF54DBA9E990BADB7B6FB88314F108925E485EB395DB35EC418B90
                                                Function 06F65680 Relevance: .6, Instructions: 580COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0213b7c79655c229aab414475f3a39407f23e217ce5565fa82a11ca4992c2901
                                                • Instruction ID: 22288c6e829ae5e510999a6c140c3c745839e8356006137819d0e7d7314d34ed
                                                • Opcode Fuzzy Hash: 0213b7c79655c229aab414475f3a39407f23e217ce5565fa82a11ca4992c2901
                                                • Instruction Fuzzy Hash: EC12D271F102158FDF60DB76D98066EB7B6FF85320F248429E856AB398DA34EC41CB90
                                                Function 06F6AD58 Relevance: 10.4, Strings: 8, Instructions: 394COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 6f6ad58-6f6ad76 1 6f6ad78-6f6ad7b 0->1 2 6f6af75-6f6af7e 1->2 3 6f6ad81-6f6ad84 1->3 4 6f6af84-6f6af8d 2->4 5 6f6ade0-6f6ade9 2->5 6 6f6ad86-6f6ad93 3->6 7 6f6ad98-6f6ad9b 3->7 10 6f6af8e 4->10 11 6f6af8f-6f6afa1 5->11 12 6f6adef-6f6adf3 5->12 6->7 8 6f6adb5-6f6adb8 7->8 9 6f6ad9d-6f6adb0 7->9 14 6f6adba-6f6add6 8->14 15 6f6addb-6f6adde 8->15 9->8 11->10 28 6f6afa3-6f6afc6 11->28 16 6f6adf8-6f6adfb 12->16 14->15 15->5 15->16 17 6f6ae0c-6f6ae0f 16->17 18 6f6adfd-6f6ae01 16->18 22 6f6ae11-6f6ae16 17->22 23 6f6ae19-6f6ae1c 17->23 18->4 21 6f6ae07 18->21 21->17 22->23 26 6f6ae1e-6f6ae27 23->26 27 6f6ae2c-6f6ae2e 23->27 26->27 30 6f6ae35-6f6ae38 27->30 31 6f6ae30 27->31 29 6f6afc8-6f6afcb 28->29 33 6f6afcd-6f6afd1 29->33 34 6f6afd8-6f6afdb 29->34 30->1 35 6f6ae3e-6f6ae62 30->35 31->30 36 6f6afd3 33->36 37 6f6afe1-6f6b01c 33->37 34->37 38 6f6b244-6f6b247 34->38 55 6f6af72 35->55 56 6f6ae68-6f6ae77 35->56 36->34 48 6f6b022-6f6b02e 37->48 49 6f6b20f-6f6b222 37->49 39 6f6b26a-6f6b26d 38->39 40 6f6b249-6f6b265 38->40 42 6f6b26f 39->42 43 6f6b27c-6f6b27f 39->43 40->39 128 6f6b26f call 6f6b2b2 42->128 129 6f6b26f call 6f6b2c0 42->129 46 6f6b281-6f6b28b 43->46 47 6f6b28c-6f6b28e 43->47 53 6f6b295-6f6b298 47->53 54 6f6b290 47->54 63 6f6b030-6f6b049 48->63 64 6f6b04e-6f6b092 48->64 51 6f6b224 49->51 61 6f6b225 51->61 52 6f6b275-6f6b277 52->43 53->29 59 6f6b29e-6f6b2a8 53->59 54->53 55->2 65 6f6ae8f-6f6aeca call 6f66640 56->65 66 6f6ae79-6f6ae7f 56->66 61->61 63->51 79 6f6b094-6f6b0a6 64->79 80 6f6b0ae-6f6b0ed 64->80 82 6f6aee2-6f6aef9 65->82 83 6f6aecc-6f6aed2 65->83 67 6f6ae83-6f6ae85 66->67 68 6f6ae81 66->68 67->65 68->65 79->80 88 6f6b1d4-6f6b1e9 80->88 89 6f6b0f3-6f6b1ce call 6f66640 80->89 96 6f6af11-6f6af22 82->96 97 6f6aefb-6f6af01 82->97 84 6f6aed6-6f6aed8 83->84 85 6f6aed4 83->85 84->82 85->82 88->49 89->88 102 6f6af24-6f6af2a 96->102 103 6f6af3a-6f6af6b 96->103 99 6f6af05-6f6af07 97->99 100 6f6af03 97->100 99->96 100->96 105 6f6af2e-6f6af30 102->105 106 6f6af2c 102->106 103->55 105->103 106->103 128->52 129->52
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                • API String ID: 0-1078448309
                                                • Opcode ID: 6782100289507678e479b72e7888d379628125d3573626c7f0cae0559ad93595
                                                • Instruction ID: 5649ec0185c26efa48ad8c6013456ddf1374d0aeeefe4a8d43b7280e1499719f
                                                • Opcode Fuzzy Hash: 6782100289507678e479b72e7888d379628125d3573626c7f0cae0559ad93595
                                                • Instruction Fuzzy Hash: F3E15D30E1020A8FDB65DBAAD5406AEB7F6FF85310F208529E405EB354DB35EC46CB91
                                                Function 06F691E0 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 542 6f691e0-6f69205 543 6f69207-6f6920a 542->543 544 6f69210-6f69225 543->544 545 6f69ac8-6f69acb 543->545 552 6f69227-6f6922d 544->552 553 6f6923d-6f69253 544->553 546 6f69af1-6f69af3 545->546 547 6f69acd-6f69aec 545->547 548 6f69af5 546->548 549 6f69afa-6f69afd 546->549 547->546 548->549 549->543 551 6f69b03-6f69b0d 549->551 555 6f69231-6f69233 552->555 556 6f6922f 552->556 559 6f6925e-6f69260 553->559 555->553 556->553 560 6f69262-6f69268 559->560 561 6f69278-6f692e9 559->561 562 6f6926c-6f6926e 560->562 563 6f6926a 560->563 572 6f69315-6f69331 561->572 573 6f692eb-6f6930e 561->573 562->561 563->561 578 6f69333-6f69356 572->578 579 6f6935d-6f69378 572->579 573->572 578->579 584 6f693a3-6f693be 579->584 585 6f6937a-6f6939c 579->585 590 6f693e3-6f693f1 584->590 591 6f693c0-6f693dc 584->591 585->584 592 6f693f3-6f693fc 590->592 593 6f69401-6f6947b 590->593 591->590 592->551 599 6f6947d-6f6949b 593->599 600 6f694c8-6f694dd 593->600 604 6f694b7-6f694c6 599->604 605 6f6949d-6f694ac 599->605 600->545 604->599 604->600 605->604
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq
                                                • API String ID: 0-2881790790
                                                • Opcode ID: 048c5f65655fd16b4a149dd2d877a7ded35415d8d28fa8599fcfb95c080dd069
                                                • Instruction ID: 860a5ed993faed4160b940f03c5439630dcbfe7725b37d89c492a5c1dc9202a6
                                                • Opcode Fuzzy Hash: 048c5f65655fd16b4a149dd2d877a7ded35415d8d28fa8599fcfb95c080dd069
                                                • Instruction Fuzzy Hash: B2913030F1021B8FDB54DF65D9507AEB7FAEB88350F108569D409EB398EA78ED418B90
                                                Function 06F64C48 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 608 6f64c48-6f64c6c 609 6f64c6e-6f64c71 608->609 610 6f64c77-6f64d6f 609->610 611 6f65350-6f65353 609->611 631 6f64d75-6f64dbd 610->631 632 6f64df2-6f64df9 610->632 612 6f65374-6f65376 611->612 613 6f65355-6f6536f 611->613 615 6f6537d-6f65380 612->615 616 6f65378 612->616 613->612 615->609 617 6f65386-6f65393 615->617 616->615 654 6f64dc2 call 6f65500 631->654 655 6f64dc2 call 6f654f1 631->655 633 6f64dff-6f64e6f 632->633 634 6f64e7d-6f64e86 632->634 651 6f64e71 633->651 652 6f64e7a 633->652 634->617 645 6f64dc8-6f64de4 648 6f64de6 645->648 649 6f64def-6f64df0 645->649 648->649 649->632 651->652 652->634 654->645 655->645
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: fpq$XPpq$\Opq
                                                • API String ID: 0-2571271785
                                                • Opcode ID: 70a13a384eadcabd19727a2aead1f5bf2b12fcc780d2456a83f3beaca93fe0cb
                                                • Instruction ID: 570a77974e7b1f9133c8eb9f24a8093bc0fa46f01948abd8b41de71e2da7698d
                                                • Opcode Fuzzy Hash: 70a13a384eadcabd19727a2aead1f5bf2b12fcc780d2456a83f3beaca93fe0cb
                                                • Instruction Fuzzy Hash: B0618270F002199FEB54ABB5C8157AEBAF6FF88710F208429E506AB394DB759C45CB50
                                                Function 06F691D3 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1508 6f691d3-6f69205 1510 6f69207-6f6920a 1508->1510 1511 6f69210-6f69225 1510->1511 1512 6f69ac8-6f69acb 1510->1512 1519 6f69227-6f6922d 1511->1519 1520 6f6923d-6f69253 1511->1520 1513 6f69af1-6f69af3 1512->1513 1514 6f69acd-6f69aec 1512->1514 1515 6f69af5 1513->1515 1516 6f69afa-6f69afd 1513->1516 1514->1513 1515->1516 1516->1510 1518 6f69b03-6f69b0d 1516->1518 1522 6f69231-6f69233 1519->1522 1523 6f6922f 1519->1523 1526 6f6925e-6f69260 1520->1526 1522->1520 1523->1520 1527 6f69262-6f69268 1526->1527 1528 6f69278-6f692e9 1526->1528 1529 6f6926c-6f6926e 1527->1529 1530 6f6926a 1527->1530 1539 6f69315-6f69331 1528->1539 1540 6f692eb-6f6930e 1528->1540 1529->1528 1530->1528 1545 6f69333-6f69356 1539->1545 1546 6f6935d-6f69378 1539->1546 1540->1539 1545->1546 1551 6f693a3-6f693be 1546->1551 1552 6f6937a-6f6939c 1546->1552 1557 6f693e3-6f693f1 1551->1557 1558 6f693c0-6f693dc 1551->1558 1552->1551 1559 6f693f3-6f693fc 1557->1559 1560 6f69401-6f6947b 1557->1560 1558->1557 1559->1518 1566 6f6947d-6f6949b 1560->1566 1567 6f694c8-6f694dd 1560->1567 1571 6f694b7-6f694c6 1566->1571 1572 6f6949d-6f694ac 1566->1572 1567->1512 1571->1566 1571->1567 1572->1571
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq
                                                • API String ID: 0-3550614674
                                                • Opcode ID: c16ce5ee6144bf50d2ac1b538be2ec7993d1a428f87246ad4aac1898fdac596f
                                                • Instruction ID: eb7af31ff1e3bcd2dc5c46fd0c073d8093b8a4b6f0c2c6fd349270c182c497eb
                                                • Opcode Fuzzy Hash: c16ce5ee6144bf50d2ac1b538be2ec7993d1a428f87246ad4aac1898fdac596f
                                                • Instruction Fuzzy Hash: E0513F30F002068FDB54DF75D9A0B6E77FAEB88750F508569D509DB398EA78EC418B90
                                                Function 0190E758 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1575 190e758-190ecb4 GlobalMemoryStatusEx 1578 190ecb6-190ecbc 1575->1578 1579 190ecbd-190ece5 1575->1579 1578->1579
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0190EBBA), ref: 0190ECA7
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2914143226.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_1900000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: 6119b8e3c8be41a65bfc726f72acc5e14edc15326f2e593bc4579bdded4a8f14
                                                • Instruction ID: 6f7657de6f16ceb36ba8d64d07f89509bc1caa02cf36f02f1f0d1d3d752f4350
                                                • Opcode Fuzzy Hash: 6119b8e3c8be41a65bfc726f72acc5e14edc15326f2e593bc4579bdded4a8f14
                                                • Instruction Fuzzy Hash: 601103B1C006699FCB10DF9AC545B9EFBF4EB48320F14856AE918A7240D379A944CFA5
                                                Function 06F64C38 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1641 6f64c38-6f64c6c 1644 6f64c6e-6f64c71 1641->1644 1645 6f64c77-6f64d6f 1644->1645 1646 6f65350-6f65353 1644->1646 1666 6f64d75-6f64dbd 1645->1666 1667 6f64df2-6f64df9 1645->1667 1647 6f65374-6f65376 1646->1647 1648 6f65355-6f6536f 1646->1648 1650 6f6537d-6f65380 1647->1650 1651 6f65378 1647->1651 1648->1647 1650->1644 1652 6f65386-6f65393 1650->1652 1651->1650 1689 6f64dc2 call 6f65500 1666->1689 1690 6f64dc2 call 6f654f1 1666->1690 1668 6f64dff-6f64e6f 1667->1668 1669 6f64e7d-6f64e86 1667->1669 1686 6f64e71 1668->1686 1687 6f64e7a 1668->1687 1669->1652 1680 6f64dc8-6f64de4 1683 6f64de6 1680->1683 1684 6f64def-6f64df0 1680->1684 1683->1684 1684->1667 1686->1687 1687->1669 1689->1680 1690->1680
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: XPpq
                                                • API String ID: 0-1266478781
                                                • Opcode ID: 0b2da5fca88bead8b61d91eab0f25fb29953060b572bdb2463a2a77592f176f5
                                                • Instruction ID: b331f75a46a35a8f81009c28d5b1420acad1df60c87f6b504ce2436b6462ffe3
                                                • Opcode Fuzzy Hash: 0b2da5fca88bead8b61d91eab0f25fb29953060b572bdb2463a2a77592f176f5
                                                • Instruction Fuzzy Hash: 4F418471F002099FEB54EFB5C814BAEBAF6FF88710F208529E506AB395DA759C05CB50
                                                Function 06F64C40 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1691 6f64c40-6f64c6c 1694 6f64c6e-6f64c71 1691->1694 1695 6f64c77-6f64d6f 1694->1695 1696 6f65350-6f65353 1694->1696 1716 6f64d75-6f64dbd 1695->1716 1717 6f64df2-6f64df9 1695->1717 1697 6f65374-6f65376 1696->1697 1698 6f65355-6f6536f 1696->1698 1700 6f6537d-6f65380 1697->1700 1701 6f65378 1697->1701 1698->1697 1700->1694 1702 6f65386-6f65393 1700->1702 1701->1700 1739 6f64dc2 call 6f65500 1716->1739 1740 6f64dc2 call 6f654f1 1716->1740 1718 6f64dff-6f64e6f 1717->1718 1719 6f64e7d-6f64e86 1717->1719 1736 6f64e71 1718->1736 1737 6f64e7a 1718->1737 1719->1702 1730 6f64dc8-6f64de4 1733 6f64de6 1730->1733 1734 6f64def-6f64df0 1730->1734 1733->1734 1734->1717 1736->1737 1737->1719 1739->1730 1740->1730
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: XPpq
                                                • API String ID: 0-1266478781
                                                • Opcode ID: 0215be5a2642669bf4ccf2b9a2f754d82226e4041f017b71a8e3f21d59d39f7a
                                                • Instruction ID: 32c1b096d7ad01dbfc6f2e80446a05ae8014702ea095615e09e998e84f837209
                                                • Opcode Fuzzy Hash: 0215be5a2642669bf4ccf2b9a2f754d82226e4041f017b71a8e3f21d59d39f7a
                                                • Instruction Fuzzy Hash: 8F418370F002099FEB55EFB5C814BAEBAF6FF88710F208529E505AB398DA759C01CB50
                                                Function 06F64C3C Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1741 6f64c3c-6f64c6c 1743 6f64c6e-6f64c71 1741->1743 1744 6f64c77-6f64d6f 1743->1744 1745 6f65350-6f65353 1743->1745 1765 6f64d75-6f64dbd 1744->1765 1766 6f64df2-6f64df9 1744->1766 1746 6f65374-6f65376 1745->1746 1747 6f65355-6f6536f 1745->1747 1749 6f6537d-6f65380 1746->1749 1750 6f65378 1746->1750 1747->1746 1749->1743 1751 6f65386-6f65393 1749->1751 1750->1749 1788 6f64dc2 call 6f65500 1765->1788 1789 6f64dc2 call 6f654f1 1765->1789 1767 6f64dff-6f64e6f 1766->1767 1768 6f64e7d-6f64e86 1766->1768 1785 6f64e71 1767->1785 1786 6f64e7a 1767->1786 1768->1751 1779 6f64dc8-6f64de4 1782 6f64de6 1779->1782 1783 6f64def-6f64df0 1779->1783 1782->1783 1783->1766 1785->1786 1786->1768 1788->1779 1789->1779
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: XPpq
                                                • API String ID: 0-1266478781
                                                • Opcode ID: f9653dbddca0e88fc4dc68345833442a47946a02fd0391dc2ceb4813615ae78c
                                                • Instruction ID: abeea4c47deb35ea3ab66ee1cc3371cc18c25b4955f2d7d38423968f4ae7058f
                                                • Opcode Fuzzy Hash: f9653dbddca0e88fc4dc68345833442a47946a02fd0391dc2ceb4813615ae78c
                                                • Instruction Fuzzy Hash: C7416370F002099FEB55DFA5C9147AEBBF6FF88300F208529E106AB395DA759C45CB50
                                                Function 06F6DB40 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1790 6f6db40-6f6db57 1791 6f6db59-6f6db5c 1790->1791 1792 6f6db5e-6f6db8a 1791->1792 1793 6f6db8f-6f6db92 1791->1793 1792->1793 1794 6f6db94 1793->1794 1795 6f6dba1-6f6dba4 1793->1795 1800 6f6db9a-6f6db9c 1794->1800 1796 6f6dba6-6f6dbc2 1795->1796 1797 6f6dbc7-6f6dbc9 1795->1797 1796->1797 1798 6f6dbd0-6f6dbd3 1797->1798 1799 6f6dbcb 1797->1799 1798->1791 1801 6f6dbd5-6f6dbe4 1798->1801 1799->1798 1800->1795 1805 6f6dbea-6f6dc23 1801->1805 1806 6f6dd69-6f6dd93 1801->1806 1813 6f6dc25-6f6dc2f 1805->1813 1814 6f6dc71-6f6dc95 1805->1814 1809 6f6dd94 1806->1809 1809->1809 1818 6f6dc47-6f6dc6f 1813->1818 1819 6f6dc31-6f6dc37 1813->1819 1820 6f6dc97 1814->1820 1821 6f6dc9f-6f6dd63 1814->1821 1818->1813 1818->1814 1822 6f6dc3b-6f6dc3d 1819->1822 1823 6f6dc39 1819->1823 1820->1821 1821->1805 1821->1806 1822->1818 1823->1818
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PHkq
                                                • API String ID: 0-902561536
                                                • Opcode ID: d53d87adf542091cfb7c443ca323d0e62d4777d3d64102f72236714b8ae17005
                                                • Instruction ID: 1cbb97807b11d2fb311cd0e43eaf9d3fb00a3cf5ebf215dc61fb015d7523eba4
                                                • Opcode Fuzzy Hash: d53d87adf542091cfb7c443ca323d0e62d4777d3d64102f72236714b8ae17005
                                                • Instruction Fuzzy Hash: B4418170F0020A9FDB65DF66D9546AEBBB6FF85340F204929E406EB344DB74E846CB81
                                                Function 06F622A0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1829 6f622a0-6f622bb 1830 6f622bd-6f622c0 1829->1830 1831 6f622c2-6f622de 1830->1831 1832 6f622e3-6f622e5 1830->1832 1831->1832 1833 6f622e7 1832->1833 1834 6f622ec-6f622ef 1832->1834 1833->1834 1834->1830 1835 6f622f1-6f62317 1834->1835 1841 6f6231e-6f6234c 1835->1841 1846 6f623c3-6f623e7 1841->1846 1847 6f6234e-6f62358 1841->1847 1855 6f623f1 1846->1855 1856 6f623e9 1846->1856 1850 6f62370-6f623c1 1847->1850 1851 6f6235a-6f62360 1847->1851 1850->1846 1850->1847 1853 6f62364-6f62366 1851->1853 1854 6f62362 1851->1854 1853->1850 1854->1850 1856->1855
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PHkq
                                                • API String ID: 0-902561536
                                                • Opcode ID: dedf06999532c595517aed2a6440021f6ee41820b7a4ed6266dab80a674c65ee
                                                • Instruction ID: d17b4958c9839ad99dca43bc0afe08471dd6b8d7362f95d52adc181e9464767c
                                                • Opcode Fuzzy Hash: dedf06999532c595517aed2a6440021f6ee41820b7a4ed6266dab80a674c65ee
                                                • Instruction Fuzzy Hash: CA310230F002018FDBA59B35D95566F7BEAFB89210F209928E402DB398DF35DE46C795
                                                Function 06F68108 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq
                                                • API String ID: 0-3037731980
                                                • Opcode ID: 7959ed90dfb307a590bef45b25fdeebe48dbc50cd4e83fcef04cf338e77a8ba1
                                                • Instruction ID: 4307415e4d0fb852349f76a40a4e7c15e5e98011c29d36d855be5b664953c3b9
                                                • Opcode Fuzzy Hash: 7959ed90dfb307a590bef45b25fdeebe48dbc50cd4e83fcef04cf338e77a8ba1
                                                • Instruction Fuzzy Hash: 4801F732E102189FDB249E66DD856AAB77AFB40390F18442DF821D3250C7749D45C7A0
                                                Function 06F68110 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq
                                                • API String ID: 0-3037731980
                                                • Opcode ID: 78e6a8af4c7d4683ce2f325a9e749c27696de81070a178dd1287e9fd56e3190c
                                                • Instruction ID: 141499ef1224775352847606693b31a499e2c2f42210f83882032ff3ac88fc7e
                                                • Opcode Fuzzy Hash: 78e6a8af4c7d4683ce2f325a9e749c27696de81070a178dd1287e9fd56e3190c
                                                • Instruction Fuzzy Hash: 0501D636E102189FDB648E66DD446AAB7BAFB403A0F18447DF831D3250C6749D45C7E0
                                                Function 06F62BC5 Relevance: .4, Instructions: 439COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b869ac474f0ca7111fef0d013d8bf7ebf2bf06ae3305cd5ee9ca11eecd611402
                                                • Instruction ID: b845bab8c506667457418b73ea7ce58312dc2671846e664c432820b8b0eb95eb
                                                • Opcode Fuzzy Hash: b869ac474f0ca7111fef0d013d8bf7ebf2bf06ae3305cd5ee9ca11eecd611402
                                                • Instruction Fuzzy Hash: DA026531E002048FDB64DB65C584A5DFBF2FB84318F54C4A9E85AAB365DB35EE85CB80
                                                Function 06F6B2B2 Relevance: .3, Instructions: 293COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 192d13b1fd59020d6663cc852704bb12e807fd5d57ed6548122694aefc480143
                                                • Instruction ID: f726f37e81a60753a79032a479ff6877b17e204fb5adfdc6d5ca891d05ab6fbb
                                                • Opcode Fuzzy Hash: 192d13b1fd59020d6663cc852704bb12e807fd5d57ed6548122694aefc480143
                                                • Instruction Fuzzy Hash: A3A15230F102098FEF64DB5ED5907AE77BAEB89310F604825F409EB399DA35DC918751
                                                Function 06F6B6C8 Relevance: .3, Instructions: 263COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e8bbdeed4d988e169411ed3d366a5aa7dbf18dd9b3639cd7594731cddae164b
                                                • Instruction ID: f1bc3c308643e9805f6aa5b60bb37ff5fbafb785f7490a8f9b807c1e99bfefbb
                                                • Opcode Fuzzy Hash: 2e8bbdeed4d988e169411ed3d366a5aa7dbf18dd9b3639cd7594731cddae164b
                                                • Instruction Fuzzy Hash: 7FA14970E0060A8FDBA0CB6AD5807ADB7B1FB45314F648926F419DB265DB34EC92CB91
                                                Function 06F6B6D0 Relevance: .3, Instructions: 262COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4d5c5cfe47bdcbb745878da9208ce6b0d110455db5220e9ab4c12fa052bb321b
                                                • Instruction ID: 98f88c18fa751028a08c46dcf901594d8c7571ec447e9688951f05dee59b003a
                                                • Opcode Fuzzy Hash: 4d5c5cfe47bdcbb745878da9208ce6b0d110455db5220e9ab4c12fa052bb321b
                                                • Instruction Fuzzy Hash: F4A14970E0060A8BDBA0CB6AD5807ADB7B1FB45314F608926F419DB265DB34EC91CB91
                                                Function 06F66290 Relevance: .2, Instructions: 229COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4b29f394ca2353e259084e2f539a0ab52286e4dc250397e78b0d9902088fe047
                                                • Instruction ID: dc617227c6f9b95139a522acbbf0afb4411ef6ff04bf975f558898d348c8b883
                                                • Opcode Fuzzy Hash: 4b29f394ca2353e259084e2f539a0ab52286e4dc250397e78b0d9902088fe047
                                                • Instruction Fuzzy Hash: D661E4B2F001214FDF519A7EC98066EBAEBEFD4620B144439E40ADB378DE65DC028791
                                                Function 06F64378 Relevance: .2, Instructions: 221COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4cffb8277b80cd403bb9095bd70e9d9f1325df708c8ee123784d623ed22945aa
                                                • Instruction ID: 328c5f0235fea04d5350579a8273bde308dea1f8f099babdae40f42fb2945a46
                                                • Opcode Fuzzy Hash: 4cffb8277b80cd403bb9095bd70e9d9f1325df708c8ee123784d623ed22945aa
                                                • Instruction Fuzzy Hash: 80813C30F002098BDF54EFA9D5557AEB7F6EB89310F108529E40ADB398EA75DC428B91
                                                Function 06F64698 Relevance: .2, Instructions: 218COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 90be7c717b751e2806fa2a772b7151aaac98b8c5e29c0335e879786781ad0030
                                                • Instruction ID: 838d227dffacf72f14eb1be16cf201a9e77b5c86e61c57a2c8e652b7619d567c
                                                • Opcode Fuzzy Hash: 90be7c717b751e2806fa2a772b7151aaac98b8c5e29c0335e879786781ad0030
                                                • Instruction Fuzzy Hash: 49913E34E1021A8FDF60DF69C850B9DB7B1FF89310F20C599E549AB295DB70AA85CF90
                                                Function 06F64388 Relevance: .2, Instructions: 218COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e2d5acdf4cdace7a01138eb1ee976fa36710dc3a038473ed5f2700582119460
                                                • Instruction ID: 44533706cdaa74c4d46b407a70aefa58e6782da4c73d3cde0a32ae7840e61179
                                                • Opcode Fuzzy Hash: 6e2d5acdf4cdace7a01138eb1ee976fa36710dc3a038473ed5f2700582119460
                                                • Instruction Fuzzy Hash: DC811C30F102098BDF54EFA9D55476EB7F6EB89310F108529E40AEB398EB75EC428B51
                                                Function 06F64384 Relevance: .2, Instructions: 217COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 655772e21727b9780220c18d4b63c4f0958b262a671589690b8837a53d41ab51
                                                • Instruction ID: 72c8598396f587a8bc13e0e5e81efe79aea7f9cec5e39d376dfa1a41a7df3be1
                                                • Opcode Fuzzy Hash: 655772e21727b9780220c18d4b63c4f0958b262a671589690b8837a53d41ab51
                                                • Instruction Fuzzy Hash: D9813C30F0020A8BDF54DFA9D55476EB7F6EB89310F108929E40AEB398EB75DC428B51
                                                Function 06F646B0 Relevance: .2, Instructions: 210COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8fbcd1e3dbf6e0c664a74cce503dcd964490468be1ed620840bab689b1544c8d
                                                • Instruction ID: 685e47490d1d8fba17489f7ed08e1b386338a2d36eaa3a8f9d9ae6c7ac313410
                                                • Opcode Fuzzy Hash: 8fbcd1e3dbf6e0c664a74cce503dcd964490468be1ed620840bab689b1544c8d
                                                • Instruction Fuzzy Hash: 09913D30E1021A8BDF60DF69C950B9DB7B1FF89310F20C599E549AB295DB70AA85CF90
                                                Function 06F646A8 Relevance: .2, Instructions: 210COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dba43d026ffe448fe2e296946619dd63d98fd806dd7a7a56b0066fa097142eb8
                                                • Instruction ID: ae64571ecdfce3c14718d4ae448a925a9b9b81e068abd2215ebd8db145c6943d
                                                • Opcode Fuzzy Hash: dba43d026ffe448fe2e296946619dd63d98fd806dd7a7a56b0066fa097142eb8
                                                • Instruction Fuzzy Hash: 67914E34E1021A8BDF60DF65C950B9DB7B1FF89310F20C599E549AB294DB70A985CF90
                                                Function 06F6EBA0 Relevance: .2, Instructions: 201COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: df1f8650ce75f3bbaadcce6b58e10505593b0cd1f74b48c681253f0feed18211
                                                • Instruction ID: 2e6daed9acdff5c98cf94c3e7e78b79eff11862c81c62311e3fdb50e0eaaf435
                                                • Opcode Fuzzy Hash: df1f8650ce75f3bbaadcce6b58e10505593b0cd1f74b48c681253f0feed18211
                                                • Instruction Fuzzy Hash: 37712775E002099FDB55DBA9D980A9EBBF6FF88310F248429E405EB355DB30EC46CB50
                                                Function 06F6EB90 Relevance: .2, Instructions: 200COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5e4c93df5cdfea4e024c57bbbc9d7c9ab6713436382b66d5372c560bed361ce6
                                                • Instruction ID: f228c52c85423e63f00999b2bc3d607abb5c833671449c0243bffd3a65cc4856
                                                • Opcode Fuzzy Hash: 5e4c93df5cdfea4e024c57bbbc9d7c9ab6713436382b66d5372c560bed361ce6
                                                • Instruction Fuzzy Hash: B4712975E002098FDB55DFA9D980A9DBBF6FF88310F648469E405EB2A5DB30EC46CB50
                                                Function 06F6FAB1 Relevance: .2, Instructions: 172COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd59ce02e80c13e56a4e0a3d1b3590087b14b67c082c09dd503cf5bcb7eb0f6c
                                                • Instruction ID: d7ba1aa02c9cbd4f25c1cd614962e219b2d7513ef80b0d3927e3c49de1b8a442
                                                • Opcode Fuzzy Hash: bd59ce02e80c13e56a4e0a3d1b3590087b14b67c082c09dd503cf5bcb7eb0f6c
                                                • Instruction Fuzzy Hash: 8151D670F212059FEF64567DE958B7F3A5BE789320F20043AF40AD73A5C969CC8587A2
                                                Function 06F6FD10 Relevance: .2, Instructions: 171COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 72df480cbd32cd43e28c9c75b5bed663b99f158a09a3d4dc840df77f60ac990a
                                                • Instruction ID: 357e78bcb9c092a153af0cdc04e984b07f5b2b333321e79fa37fb2925c3ed54d
                                                • Opcode Fuzzy Hash: 72df480cbd32cd43e28c9c75b5bed663b99f158a09a3d4dc840df77f60ac990a
                                                • Instruction Fuzzy Hash: 8951F031E02109DFCB64ABBAF9446ADBBB3FF89311F108979E006D7251DB359855CB80
                                                Function 06F6FAC0 Relevance: .2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 748c746822b8e305943e27c597b34eadada332fe1c56d0b39196e3fc0149cc89
                                                • Instruction ID: 71c141fa8cef92d0fb84ee4a86decf63c0e19df5afc7f7f8126cf42dc9c52e99
                                                • Opcode Fuzzy Hash: 748c746822b8e305943e27c597b34eadada332fe1c56d0b39196e3fc0149cc89
                                                • Instruction Fuzzy Hash: 4951C270F212058FEF64566DE958B2F365BE789320F20483AF40BD73A8C969CC8547A2
                                                Function 06F65670 Relevance: .1, Instructions: 134COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a557142bd07d2546002697ffada2605e2ef1c10266d74a92ee2af67e4da347c2
                                                • Instruction ID: 767b7035525b11b2d5b5c67fc6cacc446015f5f4450968fa4c799b6b16de4c25
                                                • Opcode Fuzzy Hash: a557142bd07d2546002697ffada2605e2ef1c10266d74a92ee2af67e4da347c2
                                                • Instruction Fuzzy Hash: 0B4176B5E102098BDF75CB6AC880B7EFBB1FB45310F24C92AE456EB651C634E841DB51
                                                Function 06F65500 Relevance: .1, Instructions: 126COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d5790b99374e1e254e2e114dfc44ce76fb001cd13ee5fed0213abbdb6ab9da6b
                                                • Instruction ID: 20dc73188f46447b15164561b4a26bb671e56d8323af964e726e77e8dd2f97cf
                                                • Opcode Fuzzy Hash: d5790b99374e1e254e2e114dfc44ce76fb001cd13ee5fed0213abbdb6ab9da6b
                                                • Instruction Fuzzy Hash: 13415171E006098FDF70CE9AD884AAFF7B2FB95314F10492AE116E7650D731E945CB91
                                                Function 06F62150 Relevance: .1, Instructions: 99COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: edbad43be9d888f007082d4a8f2c310cf9ba143d341c07c885a26234bd5ed449
                                                • Instruction ID: 033afaae229c35995d45a528651a9e8110568d2007bcb214074236e73829a493
                                                • Opcode Fuzzy Hash: edbad43be9d888f007082d4a8f2c310cf9ba143d341c07c885a26234bd5ed449
                                                • Instruction Fuzzy Hash: 3B317A35E102159FDB54CF65D894A9EBBB2FF89310F108529E906EB354DB31ED42CB40
                                                Function 06F62160 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8ace1a99a6004682cc0c4ad6c9fb78162e3c90c368f41d904bc8f4b322d3b56c
                                                • Instruction ID: 0db14e53c3a4fb7a47a5b3091460841ad032f7cbc33804a77be29a64c218f419
                                                • Opcode Fuzzy Hash: 8ace1a99a6004682cc0c4ad6c9fb78162e3c90c368f41d904bc8f4b322d3b56c
                                                • Instruction Fuzzy Hash: 43317E34E102059BDB14CFA5D894A9EB7B2FF89310F108529E906FB354DB71ED42CB40
                                                Function 06F6D9F5 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95b1431727d70dd20eaaeb36e0e58b66c863792d1e2f848c32afbf0d4a74a991
                                                • Instruction ID: ffdab8bee8a8fe6d40a481a71cdf4c2826759ad2da08baef1316ab474cc07e95
                                                • Opcode Fuzzy Hash: 95b1431727d70dd20eaaeb36e0e58b66c863792d1e2f848c32afbf0d4a74a991
                                                • Instruction Fuzzy Hash: 7D318430F1420A8FDF65DF69D58069EBBB5FF84314F108929E401EB355EB70E9868B80
                                                Function 06F63B78 Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 87414abc9dff3034b8f3154eb2a273304b1b023eae7960d2a12cd2dba2bd47d2
                                                • Instruction ID: d5d744222a11be195751fdfd2b2f32c59fc951c482d7a613a950c5824f5c069c
                                                • Opcode Fuzzy Hash: 87414abc9dff3034b8f3154eb2a273304b1b023eae7960d2a12cd2dba2bd47d2
                                                • Instruction Fuzzy Hash: E4216B72F106159FEB50CF7AE940AAEBBF9EB88710F109025E905E7354E734D9418B90
                                                Function 06F63B80 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6abf480e9d4668afe25fe3c0330cf364a8c9811020b323d15bb4b560f1735239
                                                • Instruction ID: b50112aa74687c8a72fa9a3ef170cabf0aaa20d13dc5bfb318b85d8feb336e8d
                                                • Opcode Fuzzy Hash: 6abf480e9d4668afe25fe3c0330cf364a8c9811020b323d15bb4b560f1735239
                                                • Instruction Fuzzy Hash: FF214A72F106159FEB50CF7AE980AAEBBF9EB88710F109125E905E7354E734DD418B90
                                                Function 06F63B88 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6629055dbe7b79fb3463a7a0955cf56b5d9f8d4d468cce37b8af9aed7725d340
                                                • Instruction ID: 7bda989f2054ec4147774a2d0a8e1f845b0080e85250cf7539ba632ca2f38f82
                                                • Opcode Fuzzy Hash: 6629055dbe7b79fb3463a7a0955cf56b5d9f8d4d468cce37b8af9aed7725d340
                                                • Instruction Fuzzy Hash: 0C217C76F006159FEB50CF7AE980AAEB7F5EB48710F109129E906E7350E734DD418B90
                                                Function 06F63B7C Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2496a3450d9c99ed84c2747ee21a3f9b56d78b8bf0479fcf723e4ec3e42bad7f
                                                • Instruction ID: 51b1065ddcb3f5ebea90f48c7b063687c679fc8d50132aaafb9bd79530d56c54
                                                • Opcode Fuzzy Hash: 2496a3450d9c99ed84c2747ee21a3f9b56d78b8bf0479fcf723e4ec3e42bad7f
                                                • Instruction Fuzzy Hash: 5B218C76F006158FEB50CFB9E940AADB7F5EB48710F108126E906E7354E734D8418B90
                                                Function 06F66DA4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 003f4bf23d3bf35e5458a76a362ae9a82e1b324169a4a1ba8deaee12978664cd
                                                • Instruction ID: 59a914bc2e09cd11e33597d4a27ed5e061255410ee9e95f0fede4d773ed3876c
                                                • Opcode Fuzzy Hash: 003f4bf23d3bf35e5458a76a362ae9a82e1b324169a4a1ba8deaee12978664cd
                                                • Instruction Fuzzy Hash: A521DE30F100199BDF94DA6AE9506ADBBBBEB84320F208439F405DB340DB31EC428B91
                                                Function 0152D030 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2913322514.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_152d000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: efdcad27333997b77c0b68398c12495f0b69fa2c157b7cb9c686bf4c93d235be
                                                • Instruction ID: a50928a1860d28a008a42ca29a77585441a9350f573e29b58ef55b142385ee0a
                                                • Opcode Fuzzy Hash: efdcad27333997b77c0b68398c12495f0b69fa2c157b7cb9c686bf4c93d235be
                                                • Instruction Fuzzy Hash: 82213472504200DFCB11DF58D9C0B2ABBB5FB85314F20CA6DD9094F2A6D33AD847CA62
                                                Function 06F66DAC Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0c372a2b81a96112604630695bf93808e6d5e6b12c018ba6e48dba5083bb1720
                                                • Instruction ID: 6352150d3288eb4a4a59bbd15893b7e1fb259294e503988f87a2dbec93b8dbf9
                                                • Opcode Fuzzy Hash: 0c372a2b81a96112604630695bf93808e6d5e6b12c018ba6e48dba5083bb1720
                                                • Instruction Fuzzy Hash: D721AE30F101199BDF94DA6AE96069DBBBBEB84320F148475E405DB354DB35EC428B91
                                                Function 06F66DB0 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 27f1b6e285f2e22e8071c9cb4927695ecdeb9f91bbbda9452cf5bb6a3463a92b
                                                • Instruction ID: 9ff1cde6bcb6c4e6627a0af5fed3f3d5ea5ea0c7f0f686da257088e6979a1371
                                                • Opcode Fuzzy Hash: 27f1b6e285f2e22e8071c9cb4927695ecdeb9f91bbbda9452cf5bb6a3463a92b
                                                • Instruction Fuzzy Hash: 1A21C030F101099BDF94DA6AE95069DBBBBEB84320F108425E405DB350DB35EC418B90
                                                Function 0152D006 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2913322514.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_152d000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0107ce6918fdaf112146683b4388979438d38f31890a2299b17a0785f8f1ea9c
                                                • Instruction ID: e3a1ed7112df0e9d4c01c74a3e1147803341e860dec0674be307e69d3c8a9c15
                                                • Opcode Fuzzy Hash: 0107ce6918fdaf112146683b4388979438d38f31890a2299b17a0785f8f1ea9c
                                                • Instruction Fuzzy Hash: 50216D7550D3C08FDB03CF64C990715BF71AB46214F29C5EBD8898F6A7C23A980ACB62
                                                Function 06F63C98 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fad0fd9d76e37ec635dd5c35b9620b32f954d924d92582473b5ce223b86f9d29
                                                • Instruction ID: d8faac0bdffe954d9718cf621dc2eafae2effa57ee25927c7c82807ada96318a
                                                • Opcode Fuzzy Hash: fad0fd9d76e37ec635dd5c35b9620b32f954d924d92582473b5ce223b86f9d29
                                                • Instruction Fuzzy Hash: 33118E32F101294BDF649A7AD9146AE72EAEBC8710F009439E406E7354EE24DC018BD1
                                                Function 06F6EE11 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c182b1110747fedc49b86989c2b5c1be595b196f5aa052fe7f1ed41c5e14170f
                                                • Instruction ID: ec5b3faf11dfdd061197b091fc9ca738904a1d9ff2004c02273e8c10bdb718b7
                                                • Opcode Fuzzy Hash: c182b1110747fedc49b86989c2b5c1be595b196f5aa052fe7f1ed41c5e14170f
                                                • Instruction Fuzzy Hash: A0012F3AF082104FDB61A67EA454A3F3BD2DBC9720F00883AF04ACB352EA15DC028391
                                                Function 06F642D8 Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 63d4c8ef493ea64a2be5e718aa5af9d714b1a205debe5ab9cbcffecda9269c25
                                                • Instruction ID: 3fd2e1c24b98c91acfa0dae622964056acd59b432207add7d1f08651e2bb6352
                                                • Opcode Fuzzy Hash: 63d4c8ef493ea64a2be5e718aa5af9d714b1a205debe5ab9cbcffecda9269c25
                                                • Instruction Fuzzy Hash: 3C01D431F041114FDB65AABE942672EB7D6EBCA620F20C83AF10ACB395ED65CC024381
                                                Function 06F63950 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9bf3c70b57f285d1d3ddbf7cc90e3573c6eb07a30d3020b86d7664f30f018ab3
                                                • Instruction ID: 5ebd569987ae94f77e7b131ae72e3c24f00ea5570c8dc962894a8185bf92728e
                                                • Opcode Fuzzy Hash: 9bf3c70b57f285d1d3ddbf7cc90e3573c6eb07a30d3020b86d7664f30f018ab3
                                                • Instruction Fuzzy Hash: AF21CFB6D01219DFCB00CF9AD989ADEFBB5BB48314F10812AE918A7240C374A944CFA5
                                                Function 06F63958 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1f4da3593cb4e410a868349fe416a504935d2e6bba945bfa2a09ca01b4a729be
                                                • Instruction ID: 075bf4939fec28b589f55a843b5256d8ffec8fa2de4a3bd3b2c5d4adec592b23
                                                • Opcode Fuzzy Hash: 1f4da3593cb4e410a868349fe416a504935d2e6bba945bfa2a09ca01b4a729be
                                                • Instruction Fuzzy Hash: AE11B0B5D01259AFCB00DF9AD885ADEFFB4FB49324F10812AE918A7340C375A954CFA5
                                                Function 06F642E8 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c9eaa33036b067e60e52c9ab2858113e7e560ffc9a37e0e9d68fd12da437a5b4
                                                • Instruction ID: 9b124ba8a941874bb9f4eaeb4b7047aca5a08dd9f69141b9c9f02f08a2e60f1c
                                                • Opcode Fuzzy Hash: c9eaa33036b067e60e52c9ab2858113e7e560ffc9a37e0e9d68fd12da437a5b4
                                                • Instruction Fuzzy Hash: 4D018131F101114BDB64AABE9556B2FB6DAEBC9B24F20C839F10AC7394EE65DC024391
                                                Function 06F642E5 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dbdc508221241c6e26d0fb139b5d097d429b768d7cc46ef6cfd40171185adc28
                                                • Instruction ID: f2811958d7ab40cec23e88c5aae08e04e32d39576780b01907ef221f4f3d05e5
                                                • Opcode Fuzzy Hash: dbdc508221241c6e26d0fb139b5d097d429b768d7cc46ef6cfd40171185adc28
                                                • Instruction Fuzzy Hash: 5301D631F001114BDB609ABE955672EA3D7EBC9620F20C839F10AC7344ED65DC024381
                                                Function 06F6EE20 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e9f889b3c6202ede2f6a065214bca8fb4350c5605c9db2ac977df9d255ccbaef
                                                • Instruction ID: 1f52b5d88d32564844329e312266bfd36207b32c3cf19cd7802c864b5d5f6678
                                                • Opcode Fuzzy Hash: e9f889b3c6202ede2f6a065214bca8fb4350c5605c9db2ac977df9d255ccbaef
                                                • Instruction Fuzzy Hash: 6901AF3AF140114FDBA59A7EA554B3E7BD6DBC9A20F108839F10ACB355EE26EC024385
                                                Function 06F6A390 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 394d86098016297863e479a5e2862914d37a721b6b38ef623e995ae1a75da959
                                                • Instruction ID: 6162650854551d111e1c2078f4237e284784429a7072efff8c03b532ed01bf1b
                                                • Opcode Fuzzy Hash: 394d86098016297863e479a5e2862914d37a721b6b38ef623e995ae1a75da959
                                                • Instruction Fuzzy Hash: 95014F30B101205FDB91DA7DD556B2E67D5E789764F108829F10AD7354EE26DC414781
                                                Function 06F63C8C Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a68113015618d81c565e4cadb538c662443fdca2f4ab8ee7d76711360411ee86
                                                • Instruction ID: 8d014660ab5aa5bbd6bd92b5c39d135bd03affc14cf0aab2f171eb4998d54295
                                                • Opcode Fuzzy Hash: a68113015618d81c565e4cadb538c662443fdca2f4ab8ee7d76711360411ee86
                                                • Instruction Fuzzy Hash: 1E016D32F101294BEF949A6A99146BF76EFEBC8711F01543AE507E7284EE64CC0547D2
                                                Function 06F6A398 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c90c1359f426381b6f28006c51a10533b93a960df60415853e9b4019e3af431
                                                • Instruction ID: f03e391b5f978b451dc1e6fb37825baf0e0ce570f992621bae317c45c25d033f
                                                • Opcode Fuzzy Hash: 1c90c1359f426381b6f28006c51a10533b93a960df60415853e9b4019e3af431
                                                • Instruction Fuzzy Hash: D7016D30B201205BDB60DA7DE966B2E77D5EBC9764F108839F10AD7354EE26EC424781
                                                Function 06F63C94 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e254d4af30abfe76678b45ab3ef8684c0915d640911beef573d2d71a69bc2342
                                                • Instruction ID: 78abc11f7420b16cf029aba1dcca6d2f654d849ab81ece5c4781a5860432601c
                                                • Opcode Fuzzy Hash: e254d4af30abfe76678b45ab3ef8684c0915d640911beef573d2d71a69bc2342
                                                • Instruction Fuzzy Hash: 7C016D36F101254BDF949A6999142FE72AFAB88710F005536E506E7244EE24CC0647D1
                                                Function 06F6A3A0 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c82c822961009984ee7835797f868d011991f26b19e4bb0d027abb8a42964d2a
                                                • Instruction ID: 348a383eabf6c733904cd76f0a04323e28150d0dd3fd50f566856d667261023e
                                                • Opcode Fuzzy Hash: c82c822961009984ee7835797f868d011991f26b19e4bb0d027abb8a42964d2a
                                                • Instruction Fuzzy Hash: 5F018C30B201205BDB60DA7DE965B2E77D9EBC9B64F108838F10AD7354EE26EC428781
                                                Function 06F6A39D Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 63fe06ee4490b89d06e305f09d58dfb51c212ef9d55480cd443cd865ed99ecea
                                                • Instruction ID: 177a174f7ce7f5389c2a071d5ca557f73a979ab621d89f94f420fd55c7cb97de
                                                • Opcode Fuzzy Hash: 63fe06ee4490b89d06e305f09d58dfb51c212ef9d55480cd443cd865ed99ecea
                                                • Instruction Fuzzy Hash: BB018130F100104BDBA0DABDEA65B2E67D5EBC8724F108839F00AD7354EE26EC424780
                                                Function 06F6C850 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8e19c371ce2ef2031041816654145cd3471cc01f749424efc66f85da2c615d43
                                                • Instruction ID: 4763eb03449f8ddb006187bcd22711c1feb017e73c6c5f5d53cfcbade64f1e5b
                                                • Opcode Fuzzy Hash: 8e19c371ce2ef2031041816654145cd3471cc01f749424efc66f85da2c615d43
                                                • Instruction Fuzzy Hash: 2201F432F102249BCB649A6AF840A9EB7B9F784320F408439F941EB380DB32AC0487C0
                                                Function 06F66511 Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8bfbd691c5c70d7b192bde40dae9bac995c3d43821376c98d7440b550c1e36a4
                                                • Instruction ID: 0b59e21378353ec94f9eecab803aa07a07cc849f4b5424663ec2607fadb14a62
                                                • Opcode Fuzzy Hash: 8bfbd691c5c70d7b192bde40dae9bac995c3d43821376c98d7440b550c1e36a4
                                                • Instruction Fuzzy Hash: 50E08672E15108ABEF90DEB5DE4675E7B7DD702308F2084A6E405DB246E677CE028752
                                                Function 06F66520 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c94ad7eefe596bf28aa8267fd218daa69c805cffb676c170ff98b4d6ac38a593
                                                • Instruction ID: db46dc4b783d08206b97eeda5298ff39ea4bb49a59732e48a93ad9eea28b9739
                                                • Opcode Fuzzy Hash: c94ad7eefe596bf28aa8267fd218daa69c805cffb676c170ff98b4d6ac38a593
                                                • Instruction Fuzzy Hash: 50E0C272E10108ABDF90DEBACE4675E77ACD701208F2084A4E408D7202E273CE028741

                                                Non-executed Functions

                                                Function 06F67738 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                • API String ID: 0-1324371161
                                                • Opcode ID: a1d59f4c4cccccb946e969040b94431fe3b6638ff9b8d9e6234e8ef0aca47384
                                                • Instruction ID: b387954a4556f51ebf1351a02fe8ab905ac2e21318a802b00cee0233e4b9b277
                                                • Opcode Fuzzy Hash: a1d59f4c4cccccb946e969040b94431fe3b6638ff9b8d9e6234e8ef0aca47384
                                                • Instruction Fuzzy Hash: C3121E30E002198FDB64EF65C954AAEB7B6BF88304F248569E409AB364DB34DD85CF90
                                                Function 06F6A9C0 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                • API String ID: 0-1078448309
                                                • Opcode ID: 73d053446d84ed6886f86e1d26a9e098803a152e12561cb0221a31d0b7b0784a
                                                • Instruction ID: 5093f051b67a7a64113e7e6628129491358e04351598c535be12d12e119f269e
                                                • Opcode Fuzzy Hash: 73d053446d84ed6886f86e1d26a9e098803a152e12561cb0221a31d0b7b0784a
                                                • Instruction Fuzzy Hash: 6C915F30E10209DFDB68DF6ADA5476EB7B6FF84304F248529E402A7294DB79DC85CB90
                                                Function 06F67138 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                                                • API String ID: 0-1342094364
                                                • Opcode ID: b783d38a9e71539f7b57b250734d71811881a8357253cc2d1f63da84f1b5279e
                                                • Instruction ID: c972c6fb4e728fe376a2ed1b0e84f44793b747a93b6490e5fae081619b87635f
                                                • Opcode Fuzzy Hash: b783d38a9e71539f7b57b250734d71811881a8357253cc2d1f63da84f1b5279e
                                                • Instruction Fuzzy Hash: C4F17430B00205CFDB55EF69D554A6EB7B6FF89304F248569E4059B3A8DB39EC82CB50
                                                Function 06F68468 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq
                                                • API String ID: 0-2881790790
                                                • Opcode ID: 7265d2c9c28777e827cdd39952059701ebedb3b2a83cf1a2757ace01385928f5
                                                • Instruction ID: dcccab48388bb59e58098a12b2c81c7d7d915d77702f62bfe0b5d8112890e6e6
                                                • Opcode Fuzzy Hash: 7265d2c9c28777e827cdd39952059701ebedb3b2a83cf1a2757ace01385928f5
                                                • Instruction Fuzzy Hash: B8B15930E002098FDB65EF69C5506AEB7B6FF88350F24852DE4169B3A5DB75DC82CB90
                                                Function 06F6AD48 Relevance: 5.2, Strings: 4, Instructions: 170COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq
                                                • API String ID: 0-2881790790
                                                • Opcode ID: 02caa5ac6778a73eba11a73bbf6540baa3f0d25228d2554421e13dbf5ac4b243
                                                • Instruction ID: e1fc23082eb97fd364cb66a99fe15b8600e4d3cde695962faa607759dcdc7f96
                                                • Opcode Fuzzy Hash: 02caa5ac6778a73eba11a73bbf6540baa3f0d25228d2554421e13dbf5ac4b243
                                                • Instruction Fuzzy Hash: 5851C130F102058FCF65DB6AD98066EB7B6EF89310F248569E805EB391DB35EC41CB91
                                                Function 06F68880 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2918643586.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6f60000_LisectAVT_2403002A_124.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LRkq$LRkq$$kq$$kq
                                                • API String ID: 0-2392252538
                                                • Opcode ID: f9b0ed2b4cd1e7dfad922852dba9e1d19ad36a8cddef62c18ce3310e48fa26ae
                                                • Instruction ID: c0da5c1d4006755aa24fca35ca1a84bfc9796f42ce6b925a013f86083eebecd9
                                                • Opcode Fuzzy Hash: f9b0ed2b4cd1e7dfad922852dba9e1d19ad36a8cddef62c18ce3310e48fa26ae
                                                • Instruction Fuzzy Hash: 4051C130B002029FDB58DF29D950A6AB7F6FF88354F14856DE4169B3A9DB35EC40CBA1