Windows Analysis Report
LisectAVT_2403002A_262.exe

ID:	1481019
Product:	CloudBasic
Start time:	02:59:29
Start date:	25.07.2024
Sample:	LisectAVT_2403002A_262.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6efb242ee7f7a8fac1e25dec0ac7f516
SHA1:	65f5091253ff71b5fe2c5539413034dfdded3bdf
SHA256:	7cb0ebf40882b541a0afbe9e0c1fa73f78df98778d745e821d4abb209df37966
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: LisectAVT_2403002A_262.exe

Avira: detected

Source: LisectAVT_2403002A_262.exe	ReversingLabs: Detection: 55%
Source: LisectAVT_2403002A_262.exe	Virustotal: Detection: 60%			Perma Link

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: LisectAVT_2403002A_262.exe

Joe Sandbox ML: detected

Compliance

Source: LisectAVT_2403002A_262.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 193.233.132.190:50500

Source: Joe Sandbox View

IP Address: 193.233.132.190 193.233.132.190

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.190
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.190
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.190
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.190
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.190

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: 0_2_002CE0A0 recv,setsockopt,setsockopt,connect,setsockopt,

0_2_002CE0A0

Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT

System Summary

Source: LisectAVT_2403002A_262.exe	Static PE information: section name: .vmp$PH
Source: LisectAVT_2403002A_262.exe	Static PE information: section name: .vmp$PH
Source: LisectAVT_2403002A_262.exe	Static PE information: section name: .vmp$PH

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_003340A0		0_2_003340A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0033E0F0		0_2_0033E0F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002BE150		0_2_002BE150
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00306270		0_2_00306270
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_003AE264		0_2_003AE264
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_003A8314		0_2_003A8314
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0033E300		0_2_0033E300
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0037E300		0_2_0037E300
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00338370		0_2_00338370
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_003B0413		0_2_003B0413
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002DC470		0_2_002DC470
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00324450		0_2_00324450
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002B24F0		0_2_002B24F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_003104D0		0_2_003104D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0037C580		0_2_0037C580
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00366630		0_2_00366630
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00334610		0_2_00334610
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0039A65D		0_2_0039A65D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0036C770		0_2_0036C770
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0049885E		0_2_0049885E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0033A840		0_2_0033A840
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002D88A0		0_2_002D88A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002FA900		0_2_002FA900
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0039A99F		0_2_0039A99F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00332A70		0_2_00332A70
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002DEA60		0_2_002DEA60
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00370A90		0_2_00370A90
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002D4AD0		0_2_002D4AD0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0033CC30		0_2_0033CC30
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002DAE30		0_2_002DAE30
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00344EE0		0_2_00344EE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00394F58		0_2_00394F58
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00396F90		0_2_00396F90
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0033CF80		0_2_0033CF80
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0034B000		0_2_0034B000
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00335040		0_2_00335040
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0033F110		0_2_0033F110
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00341110		0_2_00341110
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00337100		0_2_00337100
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002F3160		0_2_002F3160
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002E11D0		0_2_002E11D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002FF280		0_2_002FF280
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002D3330		0_2_002D3330
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_003453D0		0_2_003453D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0046B450		0_2_0046B450
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0033D400		0_2_0033D400
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00385470		0_2_00385470
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00381450		0_2_00381450
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002EB480		0_2_002EB480
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_003356F0		0_2_003356F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_003417F0		0_2_003417F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002E77E0		0_2_002E77E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002E58A0		0_2_002E58A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0038B900		0_2_0038B900

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: String function: 0038E9C0 appears 34 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: String function: 00340F50 appears 87 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: String function: 002B2AE0 appears 58 times

Source: LisectAVT_2403002A_262.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

File created: C:\Users\user\AppData\Local\Temp\adobe1UCxyIil7R_y

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LisectAVT_2403002A_262.exe, LisectAVT_2403002A_262.exe, 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: LisectAVT_2403002A_262.exe	ReversingLabs: Detection: 55%
Source: LisectAVT_2403002A_262.exe	Virustotal: Detection: 60%

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Section loaded: rstrtmgr.dll			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Section loaded: devobj.dll			Jump to behavior

Source: LisectAVT_2403002A_262.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: LisectAVT_2403002A_262.exe

Static file information: File size 2956293 > 1048576

Source: LisectAVT_2403002A_262.exe

Static PE information: Raw size of .vmp$PH is bigger than: 0x100000 < 0x2ce800

Data Obfuscation

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: 0_2_002EB480 SHGetFolderPathA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_002EB480

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp$PH

Source: LisectAVT_2403002A_262.exe

Static PE information: real checksum: 0x2deb24 should be: 0x2deb29

Source: LisectAVT_2403002A_262.exe	Static PE information: section name: .vmp$PH
Source: LisectAVT_2403002A_262.exe	Static PE information: section name: .vmp$PH
Source: LisectAVT_2403002A_262.exe	Static PE information: section name: .vmp$PH

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0042A0AB push ss; iretd		0_2_0042A0EA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_004C2120 pushad ; iretd		0_2_004C2191
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0038E588 push ecx; ret		0_2_0038E59B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0041E97D push 7396A22Dh; iretd		0_2_0041E999
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_004DA980 push ebx; retf		0_2_004F2F2A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_004DCA60 push ebx; retf		0_2_004DCA6A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_004ECB3C push esp; retf 237Dh		0_2_004ECB5F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_004BF1AD push ecx; ret		0_2_004BF1C9

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: 0_2_003340A0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_003340A0

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Stalling execution: Execution stalls by calling Sleep

Source: Initial file

Signature Results: Thread-based counter

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	API/Special instruction interceptor: Address: 52EEF2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	API/Special instruction interceptor: Address: 51EB62
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	API/Special instruction interceptor: Address: 521493
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	API/Special instruction interceptor: Address: 5AC5DF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	API/Special instruction interceptor: Address: 563ADB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	API/Special instruction interceptor: Address: 55A082
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	API/Special instruction interceptor: Address: 617C84

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: 0_2_004EA790 rdtsc

0_2_004EA790

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

0_2_00312530

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Window / User API: threadDelayed 3118			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Window / User API: threadDelayed 5366			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

API coverage: 4.7 %

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe TID: 1220	Thread sleep count: 3118 > 30			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe TID: 1220	Thread sleep time: -314918s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe TID: 3060	Thread sleep count: 303 > 30			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe TID: 1220	Thread sleep count: 5366 > 30			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe TID: 1220	Thread sleep time: -541966s >= -30000s			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Last function: Thread delayed

Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105722473.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}544
Source: LisectAVT_2403002A_262.exe, 00000000.00000003.1670745035.00000000014D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}t
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_C88909DA
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Anti Debugging

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: 0_2_004EA790 rdtsc

0_2_004EA790

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: 0_2_002EB480 SHGetFolderPathA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_002EB480

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00312530 mov eax, dword ptr fs:[00000030h]		0_2_00312530
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00312530 mov eax, dword ptr fs:[00000030h]		0_2_00312530
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002C4100 mov eax, dword ptr fs:[00000030h]		0_2_002C4100

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: 0_2_0038E3B4 cpuid

0_2_0038E3B4

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: 0_2_002BA480 GetProcAddress,GetVersionExA,

0_2_002BA480

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match

File source: Process Memory Space: LisectAVT_2403002A_262.exe PID: 3300, type: MEMORYSTR

Remote Access Functionality

Source: Yara match

File source: Process Memory Space: LisectAVT_2403002A_262.exe PID: 3300, type: MEMORYSTR