Windows Analysis Report
LisectAVT_2403002A_29.exe

Overview

General Information

Sample name: LisectAVT_2403002A_29.exe
Analysis ID: 1482367
MD5: e6a5050de4674c9280d6fb1a51456867
SHA1: fde04fb3d905cf314a22836276bc668bfcef2e5a
SHA256: 1b479dc4d8b2e7b2ca7fcda6699835a14223bf7c1540d6100b98f6658c8c165f
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: MSBuild connects to smtp port
Sigma detected: RegAsm connects to smtp port
Sigma detected: Schedule system process
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_29.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe Avira: detection malicious, Label: TR/AD.Nekark.jlfug
Found malware configuration
Source: 24.2.svchost.exe.17052088b18.0.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "cp8nl.hyperhost.ua", "Username": "royallog@fibraunollc.top", "Password": " 7213575aceACE@#$ "}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: LisectAVT_2403002A_29.exe Joe Sandbox ML: detected

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2287115517.0000021D90C2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2287115517.0000021D9084F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2390489517.00000214422A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2462594062.000001704247C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_29.exe PID: 6688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7572, type: MEMORYSTR
Source: LisectAVT_2403002A_29.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: HFayo.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Xml.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.ni.pdbRSDS source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: Microsoft.CSharp.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Drawing.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Configuration.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Dynamic.pdbp source: WERB646.tmp.dmp.21.dr
Source: Binary string: Microsoft.CSharp.pdbX source: WERD632.tmp.dmp.29.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Configuration.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.pdb^ source: WERB646.tmp.dmp.21.dr
Source: Binary string: System.pdbMZ source: WERF524.tmp.dmp.36.dr
Source: Binary string: System.Xml.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Core.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Xml.pdbSystem.dll` source: WERB646.tmp.dmp.21.dr
Source: Binary string: System.Windows.Forms.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Configuration.pdb8 source: WERD632.tmp.dmp.29.dr
Source: Binary string: System.Drawing.pdb0 source: WERD632.tmp.dmp.29.dr
Source: Binary string: mscorlib.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: Microsoft.CSharp.pdb0 source: WERB0D8.tmp.dmp.19.dr
Source: Binary string: System.Dynamic.pdbH source: WERB0D8.tmp.dmp.19.dr
Source: Binary string: System.Dynamic.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Drawing.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: mscorlib.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: mscorlib.pdbU source: WERB646.tmp.dmp.21.dr
Source: Binary string: System.pdb0#p source: WERB0D8.tmp.dmp.19.dr
Source: Binary string: System.Core.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Drawing.pdb` source: WERB646.tmp.dmp.21.dr
Source: Binary string: HFayo.pdbP/ source: WERB646.tmp.dmp.21.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\HFayo\obj\Release\HFayo.pdb source: LisectAVT_2403002A_29.exe, svchost.exe.1.dr
Source: Binary string: System.Configuration.pdbP source: WERB0D8.tmp.dmp.19.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Windows.Forms.pdb@ source: WERF524.tmp.dmp.36.dr
Source: Binary string: System.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49720 -> 185.174.175.187:587
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.6:64302 -> 1.1.1.1:53
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.174.175.187 185.174.175.187
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ITLDC-NLUA ITLDC-NLUA
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49720 -> 185.174.175.187:587
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 217.20.57.27
Source: unknown TCP traffic detected without corresponding DNS query: 217.20.57.27
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: cp8nl.hyperhost.ua
Source: RegAsm.exe, 0000000C.00000002.2525046983.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3409529944.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3407099977.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cp8nl.hyperhost.ua
Source: RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2525046983.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3452363902.0000000006400000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3405626312.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3454826788.0000000006449000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3409529944.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3407099977.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3452363902.0000000006426000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: svchost.exe, 00000002.00000002.3405457623.00000298F0EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2525046983.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3452363902.0000000006400000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3454826788.0000000006449000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3405626312.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3409529944.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3407099977.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: qmgr.db.2.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.2.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.2.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.2.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.2.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.2.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.2.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.2.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2525046983.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3452363902.0000000006400000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3405626312.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3454826788.0000000006449000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3409529944.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3407099977.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2525046983.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3452363902.0000000006400000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3454826788.0000000006449000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3405626312.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3409529944.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3407099977.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: LisectAVT_2403002A_29.exe, 00000001.00000002.2287115517.0000021D909E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.19.dr String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000009.00000002.2415909441.000001F244011000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2394298130.0000021452241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2506543438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2470873767.0000017052012000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2558777544.000001911138A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: qmgr.db.2.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000002.00000003.2203217669.00000298F0BE0000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2525046983.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3452363902.0000000006400000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3454826788.0000000006449000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3405626312.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3409529944.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3407099977.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, hxAF.cs .Net Code: gcE
Source: 9.2.svchost.exe.1f24404c2a0.0.raw.unpack, hxAF.cs .Net Code: gcE
Source: 10.2.svchost.exe.214522b6dd8.0.raw.unpack, hxAF.cs .Net Code: gcE
Source: 10.2.svchost.exe.2145227c390.1.raw.unpack, hxAF.cs .Net Code: gcE
Source: 24.2.svchost.exe.17052088b18.0.raw.unpack, hxAF.cs .Net Code: gcE

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 31.2.svchost.exe.191113c5518.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.svchost.exe.1f24404c2a0.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 24.2.svchost.exe.1705204e0d0.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 31.2.svchost.exe.1911138aad0.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.svchost.exe.214522b6dd8.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 31.2.svchost.exe.1911138aad0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.svchost.exe.1f244086ce8.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.svchost.exe.2145227c390.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 31.2.svchost.exe.191113c5518.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 24.2.svchost.exe.17052088b18.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 24.2.svchost.exe.17052088b18.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.svchost.exe.1f24404c2a0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.svchost.exe.2145227c390.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.svchost.exe.214522b6dd8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 24.2.svchost.exe.1705204e0d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD346AD66A NtUnmapViewOfSection, 24_2_00007FFD346AD66A
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346ED66A NtUnmapViewOfSection, 31_2_00007FFD346ED66A
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Code function: 1_2_00007FFD34660C86 1_2_00007FFD34660C86
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Code function: 1_2_00007FFD34656D79 1_2_00007FFD34656D79
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Code function: 1_2_00007FFD34678870 1_2_00007FFD34678870
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Code function: 1_2_00007FFD3465C998 1_2_00007FFD3465C998
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Code function: 1_2_00007FFD34667240 1_2_00007FFD34667240
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Code function: 1_2_00007FFD346612CD 1_2_00007FFD346612CD
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Code function: 1_2_00007FFD3465126C 1_2_00007FFD3465126C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Code function: 1_2_00007FFD34660FFA 1_2_00007FFD34660FFA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Code function: 1_2_00007FFD3465E2B0 1_2_00007FFD3465E2B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Code function: 1_2_00007FFD3465D3F0 1_2_00007FFD3465D3F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Code function: 1_2_00007FFD347905E1 1_2_00007FFD347905E1
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 9_2_00007FFD34690C86 9_2_00007FFD34690C86
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 9_2_00007FFD34686D79 9_2_00007FFD34686D79
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 9_2_00007FFD346A8870 9_2_00007FFD346A8870
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 9_2_00007FFD34697240 9_2_00007FFD34697240
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 9_2_00007FFD3468CAB8 9_2_00007FFD3468CAB8
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 9_2_00007FFD346865BD 9_2_00007FFD346865BD
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 9_2_00007FFD34690FC7 9_2_00007FFD34690FC7
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 9_2_00007FFD34690FFA 9_2_00007FFD34690FFA
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 9_2_00007FFD3468E2B0 9_2_00007FFD3468E2B0
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 9_2_00007FFD347C082B 9_2_00007FFD347C082B
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 9_2_00007FFD347C13E9 9_2_00007FFD347C13E9
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 10_2_00007FFD346A0C86 10_2_00007FFD346A0C86
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 10_2_00007FFD34696D79 10_2_00007FFD34696D79
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 10_2_00007FFD346B8870 10_2_00007FFD346B8870
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 10_2_00007FFD346A7240 10_2_00007FFD346A7240
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 10_2_00007FFD346A12CD 10_2_00007FFD346A12CD
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 10_2_00007FFD3469126C 10_2_00007FFD3469126C
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 10_2_00007FFD346A0FFA 10_2_00007FFD346A0FFA
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 10_2_00007FFD3469C998 10_2_00007FFD3469C998
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 10_2_00007FFD3469E2B0 10_2_00007FFD3469E2B0
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 10_2_00007FFD347D082B 10_2_00007FFD347D082B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_011E9378 12_2_011E9378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_011E9BE8 12_2_011E9BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_011E4A98 12_2_011E4A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_011E3E80 12_2_011E3E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_011EE16F 12_2_011EE16F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_011E41C8 12_2_011E41C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_011E9BE2 12_2_011E9BE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 15_2_03014A98 15_2_03014A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 15_2_03013E80 15_2_03013E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 15_2_0301CE8E 15_2_0301CE8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 15_2_030141C8 15_2_030141C8
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD34693C20 24_2_00007FFD34693C20
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD34691E08 24_2_00007FFD34691E08
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD346A32B1 24_2_00007FFD346A32B1
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD34659000 24_2_00007FFD34659000
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD3466C3EA 24_2_00007FFD3466C3EA
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD346A8355 24_2_00007FFD346A8355
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD346AA3E9 24_2_00007FFD346AA3E9
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD346AA121 24_2_00007FFD346AA121
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD34660C86 24_2_00007FFD34660C86
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD3466721D 24_2_00007FFD3466721D
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD3466A71D 24_2_00007FFD3466A71D
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD3465D255 24_2_00007FFD3465D255
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD34660FC7 24_2_00007FFD34660FC7
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD34660FFA 24_2_00007FFD34660FFA
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD3469C7BA 24_2_00007FFD3469C7BA
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD3469D1B3 24_2_00007FFD3469D1B3
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD3469B801 24_2_00007FFD3469B801
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD3469B379 24_2_00007FFD3469B379
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD3465126C 24_2_00007FFD3465126C
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD34656D79 24_2_00007FFD34656D79
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD3467B355 24_2_00007FFD3467B355
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD3467F711 24_2_00007FFD3467F711
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD3467EE85 24_2_00007FFD3467EE85
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD3467DCE1 24_2_00007FFD3467DCE1
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD346864DB 24_2_00007FFD346864DB
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD34675EC6 24_2_00007FFD34675EC6
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD346727D9 24_2_00007FFD346727D9
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD34672399 24_2_00007FFD34672399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 26_2_00E69378 26_2_00E69378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 26_2_00E64A98 26_2_00E64A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 26_2_00E69B28 26_2_00E69B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 26_2_00E6CDA8 26_2_00E6CDA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 26_2_00E63E80 26_2_00E63E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 26_2_00E641C8 26_2_00E641C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 26_2_00E6E56F 26_2_00E6E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 26_2_05E1DD20 26_2_05E1DD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 26_2_05E1BD18 26_2_05E1BD18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 26_2_05E18C84 26_2_05E18C84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 26_2_05E13F60 26_2_05E13F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 26_2_05E156F0 26_2_05E156F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 26_2_05E10040 26_2_05E10040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 26_2_05E12AF8 26_2_05E12AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 26_2_05E15010 26_2_05E15010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 26_2_05E13268 26_2_05E13268
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346D3C20 31_2_00007FFD346D3C20
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346D1E08 31_2_00007FFD346D1E08
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346BB355 31_2_00007FFD346BB355
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346BF711 31_2_00007FFD346BF711
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346BDCE1 31_2_00007FFD346BDCE1
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346A0C86 31_2_00007FFD346A0C86
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346A721D 31_2_00007FFD346A721D
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346AA71D 31_2_00007FFD346AA71D
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346A0FC7 31_2_00007FFD346A0FC7
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346A0FFA 31_2_00007FFD346A0FFA
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346DC7BA 31_2_00007FFD346DC7BA
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346DD1B3 31_2_00007FFD346DD1B3
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346DB379 31_2_00007FFD346DB379
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346DB801 31_2_00007FFD346DB801
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346E32B1 31_2_00007FFD346E32B1
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD34696D79 31_2_00007FFD34696D79
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346E837A 31_2_00007FFD346E837A
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346E9FE9 31_2_00007FFD346E9FE9
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346EA4DE 31_2_00007FFD346EA4DE
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346E93C2 31_2_00007FFD346E93C2
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346EBDB8 31_2_00007FFD346EBDB8
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346EBCFB 31_2_00007FFD346EBCFB
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346C64DB 31_2_00007FFD346C64DB
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346B5EC6 31_2_00007FFD346B5EC6
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346B27D9 31_2_00007FFD346B27D9
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346B2399 31_2_00007FFD346B2399
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD347D082B 31_2_00007FFD347D082B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 33_2_051B9378 33_2_051B9378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 33_2_051BCDA8 33_2_051BCDA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 33_2_051B3E80 33_2_051B3E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 33_2_051B9B28 33_2_051B9B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 33_2_051B4A98 33_2_051B4A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 33_2_051B41C8 33_2_051B41C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 33_2_062356F0 33_2_062356F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 33_2_06233F60 33_2_06233F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 33_2_0623DD20 33_2_0623DD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 33_2_0623BD18 33_2_0623BD18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 33_2_06232AF8 33_2_06232AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 33_2_06238BA2 33_2_06238BA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 33_2_06230040 33_2_06230040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 33_2_06233268 33_2_06233268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 33_2_06235010 33_2_06235010
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 464 -p 1808 -ip 1808
PE file does not import any functions
Source: svchost.exe.1.dr Static PE information: No import functions for PE file found
Source: LisectAVT_2403002A_29.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002A_29.exe, 00000001.00000000.2154463562.0000021D8EBB2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameHFayo.exe, vs LisectAVT_2403002A_29.exe
Source: LisectAVT_2403002A_29.exe Binary or memory string: OriginalFilenameHFayo.exe, vs LisectAVT_2403002A_29.exe
Yara signature match
Source: 31.2.svchost.exe.191113c5518.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.svchost.exe.1f24404c2a0.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 24.2.svchost.exe.1705204e0d0.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 31.2.svchost.exe.1911138aad0.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.svchost.exe.214522b6dd8.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 31.2.svchost.exe.1911138aad0.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.svchost.exe.1f244086ce8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.svchost.exe.2145227c390.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 31.2.svchost.exe.191113c5518.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 24.2.svchost.exe.17052088b18.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 24.2.svchost.exe.17052088b18.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.svchost.exe.1f24404c2a0.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.svchost.exe.2145227c390.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.svchost.exe.214522b6dd8.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 24.2.svchost.exe.1705204e0d0.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: LisectAVT_2403002A_29.exe, ----.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: svchost.exe.1.dr, ----.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, N43UVggPg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, N43UVggPg.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, Ow96S4wT.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, Ow96S4wT.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, Ow96S4wT.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, Ow96S4wT.cs Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe, 00000018.00000002.2462594062.000001704247C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: .VBp
Source: classification engine Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@62/33@1/2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe File created: C:\Users\user\AppData\Roaming\svchost.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2832:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3260
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7572
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1808
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7280
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4904:120:WilError_03
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe File created: C:\Users\user\AppData\Local\Temp\tmp990A.tmp Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp990A.tmp.bat""
Source: LisectAVT_2403002A_29.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: LisectAVT_2403002A_29.exe Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe File read: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe "C:\Users\user\Desktop\LisectAVT_2403002A_29.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp990A.tmp.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 3
Source: unknown Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 464 -p 1808 -ip 1808
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1808 -s 1044
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 3260 -ip 3260
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3260 -s 1212
Source: unknown Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 536 -p 7280 -ip 7280
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7280 -s 1192
Source: unknown Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 572 -p 7572 -ip 7572
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7572 -s 1204
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp990A.tmp.bat"" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 464 -p 1808 -ip 1808
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1808 -s 1044
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 3260 -ip 3260
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3260 -s 1212
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 536 -p 7280 -ip 7280
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7280 -s 1192
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 572 -p 7572 -ip 7572
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7572 -s 1204
Source: C:\Windows\System32\WerFault.exe Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Windows\System32\WerFault.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Windows\System32\WerFault.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: LisectAVT_2403002A_29.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: LisectAVT_2403002A_29.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: LisectAVT_2403002A_29.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: HFayo.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Xml.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.ni.pdbRSDS source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: Microsoft.CSharp.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Drawing.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Configuration.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Dynamic.pdbp source: WERB646.tmp.dmp.21.dr
Source: Binary string: Microsoft.CSharp.pdbX source: WERD632.tmp.dmp.29.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Configuration.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.pdb^ source: WERB646.tmp.dmp.21.dr
Source: Binary string: System.pdbMZ source: WERF524.tmp.dmp.36.dr
Source: Binary string: System.Xml.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Core.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Xml.pdbSystem.dll` source: WERB646.tmp.dmp.21.dr
Source: Binary string: System.Windows.Forms.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Configuration.pdb8 source: WERD632.tmp.dmp.29.dr
Source: Binary string: System.Drawing.pdb0 source: WERD632.tmp.dmp.29.dr
Source: Binary string: mscorlib.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: Microsoft.CSharp.pdb0 source: WERB0D8.tmp.dmp.19.dr
Source: Binary string: System.Dynamic.pdbH source: WERB0D8.tmp.dmp.19.dr
Source: Binary string: System.Dynamic.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Drawing.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: mscorlib.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: mscorlib.pdbU source: WERB646.tmp.dmp.21.dr
Source: Binary string: System.pdb0#p source: WERB0D8.tmp.dmp.19.dr
Source: Binary string: System.Core.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Drawing.pdb` source: WERB646.tmp.dmp.21.dr
Source: Binary string: HFayo.pdbP/ source: WERB646.tmp.dmp.21.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\HFayo\obj\Release\HFayo.pdb source: LisectAVT_2403002A_29.exe, svchost.exe.1.dr
Source: Binary string: System.Configuration.pdbP source: WERB0D8.tmp.dmp.19.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Windows.Forms.pdb@ source: WERF524.tmp.dmp.36.dr
Source: Binary string: System.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Binary contains a suspicious time stamp
Source: LisectAVT_2403002A_29.exe Static PE information: 0xDF358803 [Tue Aug 31 21:49:55 2088 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Code function: 1_2_00007FFD3466558A push ss; iretd 1_2_00007FFD34665617
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Code function: 1_2_00007FFD346500BD pushad ; iretd 1_2_00007FFD346500C1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Code function: 1_2_00007FFD34663425 push ebp; iretd 1_2_00007FFD34663428
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Code function: 1_2_00007FFD347905E1 push esp; retf 4810h 1_2_00007FFD347908D2
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 9_2_00007FFD346800BD pushad ; iretd 9_2_00007FFD346800C1
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 9_2_00007FFD347C082B push esp; retf 4810h 9_2_00007FFD347C08D2
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 10_2_00007FFD346900BD pushad ; iretd 10_2_00007FFD346900C1
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 10_2_00007FFD346A3425 push ebp; iretd 10_2_00007FFD346A3428
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 10_2_00007FFD347D082B push esp; retf 4810h 10_2_00007FFD347D08D2
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD34697563 push ebx; iretd 24_2_00007FFD3469756A
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD34697C2E pushad ; retf 24_2_00007FFD34697C5D
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD346655C2 push ss; iretd 24_2_00007FFD34665617
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD34663425 push ebp; iretd 24_2_00007FFD34663428
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD34684B7D push eax; ret 24_2_00007FFD34684BA4
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD346500BD pushad ; iretd 24_2_00007FFD346500C1
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 24_2_00007FFD3479082B push esp; retf 4810h 24_2_00007FFD347908D2
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346D7563 push ebx; iretd 31_2_00007FFD346D756A
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346D7C2E pushad ; retf 31_2_00007FFD346D7C5D
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346C4B7D push eax; ret 31_2_00007FFD346C4BA4
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346A55C1 push ss; iretd 31_2_00007FFD346A5617
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346A3425 push ebp; iretd 31_2_00007FFD346A3428
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD346900BD pushad ; iretd 31_2_00007FFD346900C1
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 31_2_00007FFD347D082B push esp; retf 4810h 31_2_00007FFD347D08D2

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe File created: C:\Users\user\AppData\Roaming\svchost.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe File created: C:\Users\user\AppData\Roaming\svchost.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7280, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: LisectAVT_2403002A_29.exe, 00000001.00000002.2287115517.0000021D90C2C000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_29.exe, 00000001.00000002.2287115517.0000021D9084F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2390489517.00000214422A8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2462594062.000001704247C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: LisectAVT_2403002A_29.exe, 00000001.00000002.2287115517.0000021D90C2C000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_29.exe, 00000001.00000002.2287115517.0000021D9084F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2390489517.00000214422A8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2462594062.000001704247C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Memory allocated: 21D8EF00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Memory allocated: 21DA8750000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory allocated: 1F2321E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory allocated: 1F24BFA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory allocated: 214421D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory allocated: 2145A1D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 11E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 4AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: 2EC0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: 3040000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: 5040000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory allocated: 17040590000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory allocated: 17059FA0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: E40000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2A10000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2760000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory allocated: 191755F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory allocated: 191755F0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2C60000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2C90000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 4C90000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 1096 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 4372 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Window / User API: threadDelayed 3503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Window / User API: threadDelayed 2292
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 2627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 4839
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 2307
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 2663
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe TID: 2104 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1432 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2012 Thread sleep count: 1096 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -99874s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2012 Thread sleep count: 4372 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -99436s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -99324s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -99219s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -99109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -98987s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -98843s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -98469s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -98328s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -98218s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -98109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -97997s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -97891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -97781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -97672s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -97562s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -97453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -97344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -97233s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -97124s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -97016s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -96906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -96797s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -96683s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6976 Thread sleep count: 3503 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -99873s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -99766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -99656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -99541s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -99433s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -99195s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -99094s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -98969s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -98859s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6976 Thread sleep count: 2292 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -98750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -98641s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -98531s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -98422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -98312s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -98203s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -98094s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -97984s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -97872s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -97766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -97641s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -97516s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -97406s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -97297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -97183s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -97075s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -96954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -96767s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -96641s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -96516s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -96391s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500 Thread sleep count: 2627 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -99888s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500 Thread sleep count: 4839 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -99781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -99672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -99547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -99437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -99328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -99218s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -99083s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -98895s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -98781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -98671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -98562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -98453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -98343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -98219s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -98094s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -97984s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -97874s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -97765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -97656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -97546s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -97437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -97328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -97214s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -97109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -96999s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -96874s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -96765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -96655s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -96545s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -96437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -96328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -96216s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -96108s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -95999s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -95890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800 Thread sleep count: 2307 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -99890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800 Thread sleep count: 2663 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -99781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -99672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -99562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -99453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -99343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -99234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -99124s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -99014s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -98906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -98796s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -98687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -98578s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -98468s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -98359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -98249s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -98140s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -98031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -97722s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -97594s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -97455s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -97328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -97219s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -97080s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780 Thread sleep time: -922337203685477s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99874 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99436 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99324 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 98987 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 98843 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 98469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 98328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 98218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 98109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 97997 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 97891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 97781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 97672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 97562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 97453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 97344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 97233 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 97124 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 97016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 96906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 96797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 96683 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 99873
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 99766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 99656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 99541
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 99433
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 99195
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 99094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97075
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 96954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 96767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 96641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 96516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 96391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99083
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98895
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97214
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96655
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96545
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 95999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 95890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 99014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 98906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 98796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 98687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 98578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 98468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 98359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 98249
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 98140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 98031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 97722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 97594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 97455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 97328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 97219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 97080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: Amcache.hve.19.dr Binary or memory string: VMware
Source: Amcache.hve.19.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.19.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.19.dr Binary or memory string: VMware, Inc.
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.19.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.19.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.19.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.19.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: svchost.exe, 00000002.00000002.3405315224.00000298F0E5B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.19.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.19.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: Amcache.hve.19.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.19.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.19.dr Binary or memory string: vmci.sys
Source: jsc.exe, 0000000F.00000002.3452363902.0000000006426000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.19.dr Binary or memory string: vmci.syshbin`
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: Amcache.hve.19.dr Binary or memory string: \driver\vmci,\driver\pci
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost.exe, 00000002.00000002.3402453965.00000298EB82B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: LisectAVT_2403002A_29.exe, 00000001.00000002.2292081850.0000021DA9170000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: Amcache.hve.19.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: Amcache.hve.19.dr Binary or memory string: VMware20,1
Source: Amcache.hve.19.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.19.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.19.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.19.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.19.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.19.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.19.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\svchost.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\svchost.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\svchost.exe Process queried: DebugPort
Enables debug privileges
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: LisectAVT_2403002A_29.exe, ----.cs Reference to suspicious API methods: (()Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(_FD4A_0655_061B_06D9_FBB9_FDE9_064D_060E_061D_0619._066D_066D_06D6_FDCC_060A_FD49_FBC8_FD43("\u061d\ufdea\ufd4c\ufbc4\ufbbd")), _FD4A_0655_061B_06D9_FBB9_FDE9_064D_060E_061D_0619._066D_066D_06D6_FDCC_060A_FD49_FBC8_FD43("\u06e8\ufdd8")), typeof()))(_FD3F_061A, _FDE2_FDEC_FBBC_FBD1, _FDD6_FDDC_FDE3_0670_060C_064F_0613_FDFE, out _0670)
Source: LisectAVT_2403002A_29.exe, ----.cs Reference to suspicious API methods: (()Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(_FD4A_0655_061B_06D9_FBB9_FDE9_064D_060E_061D_0619._066D_066D_06D6_FDCC_060A_FD49_FBC8_FD43("\u061d\ufdea\ufd4c\ufbc4\ufbbd")), _FD4A_0655_061B_06D9_FBB9_FDE9_064D_060E_061D_0619._066D_066D_06D6_FDCC_060A_FD49_FBC8_FD43("\u06e8\ufdd8")), typeof()))(_FD3F_061A, _FDE2_FDEC_FBBC_FBD1, _FDD6_FDDC_FDE3_0670_060C_064F_0613_FDFE, out _0670)
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, oZQpaCyO4.cs Reference to suspicious API methods: sHbn6juxSv.OpenProcess(ZHKsyD.DuplicateHandle, bInheritHandle: true, (uint)gmSjiIkP2.ProcessID)
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8BA008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 43C000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 43E000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: FAD008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 8AB008
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: DD4008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp990A.tmp.bat"" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 464 -p 1808 -ip 1808
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1808 -s 1044
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 3260 -ip 3260
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3260 -s 1212
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 536 -p 7280 -ip 7280
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7280 -s 1192
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 572 -p 7572 -ip 7572
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7572 -s 1204
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.19.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.19.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.19.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.19.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.19.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 31.2.svchost.exe.191113c5518.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.svchost.exe.1f24404c2a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.svchost.exe.1705204e0d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.svchost.exe.1911138aad0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.214522b6dd8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.svchost.exe.1911138aad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.svchost.exe.1f244086ce8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.2145227c390.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.svchost.exe.191113c5518.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.svchost.exe.17052088b18.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.svchost.exe.17052088b18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.svchost.exe.1f24404c2a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.2145227c390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.214522b6dd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.svchost.exe.1705204e0d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2525046983.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3407099977.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2470873767.0000017052012000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2525046983.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2506543438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2415909441.000001F244011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2525046983.0000000002B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3406933731.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3407099977.0000000002D09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3409529944.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2558777544.000001911138A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3409529944.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3409529944.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3407099977.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3406933731.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2394298130.0000021452241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jsc.exe PID: 572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7356, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7652, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 31.2.svchost.exe.191113c5518.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.svchost.exe.1f24404c2a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.svchost.exe.1705204e0d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.svchost.exe.1911138aad0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.214522b6dd8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.svchost.exe.1911138aad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.svchost.exe.1f244086ce8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.2145227c390.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.svchost.exe.191113c5518.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.svchost.exe.17052088b18.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.svchost.exe.17052088b18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.svchost.exe.1f24404c2a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.2145227c390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.214522b6dd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.svchost.exe.1705204e0d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.2470873767.0000017052012000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2525046983.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2506543438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2415909441.000001F244011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2558777544.000001911138A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3409529944.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3406933731.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2394298130.0000021452241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jsc.exe PID: 572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7356, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7652, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 31.2.svchost.exe.191113c5518.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.svchost.exe.1f24404c2a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.svchost.exe.1705204e0d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.svchost.exe.1911138aad0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.214522b6dd8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.svchost.exe.1911138aad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.svchost.exe.1f244086ce8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.2145227c390.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.svchost.exe.191113c5518.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.svchost.exe.17052088b18.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.svchost.exe.17052088b18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.svchost.exe.1f24404c2a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.2145227c390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.214522b6dd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.svchost.exe.1705204e0d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2525046983.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3407099977.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2470873767.0000017052012000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2525046983.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2506543438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2415909441.000001F244011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2525046983.0000000002B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3406933731.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3407099977.0000000002D09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3409529944.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2558777544.000001911138A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3409529944.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3409529944.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3407099977.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3406933731.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2394298130.0000021452241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jsc.exe PID: 572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7356, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7652, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482367 Sample: LisectAVT_2403002A_29.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 64 cp8nl.hyperhost.ua 2->64 66 bg.microsoft.map.fastly.net 2->66 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 15 other signatures 2->76 9 LisectAVT_2403002A_29.exe 1 7 2->9         started        13 svchost.exe 2 2->13         started        15 svchost.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 dnsIp5 58 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 9->58 dropped 60 C:\Users\...\LisectAVT_2403002A_29.exe.log, ASCII 9->60 dropped 100 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->100 102 Drops PE files with benign system names 9->102 20 cmd.exe 1 9->20         started        22 cmd.exe 1 9->22         started        104 Antivirus detection for dropped file 13->104 106 Machine Learning detection for dropped file 13->106 108 Writes to foreign memory regions 13->108 25 RegAsm.exe 2 13->25         started        27 CasPol.exe 13->27         started        33 2 other processes 13->33 110 Injects a PE file into a foreign processes 15->110 29 RegAsm.exe 15->29         started        35 3 other processes 15->35 62 127.0.0.1 unknown unknown 17->62 31 MSBuild.exe 17->31         started        37 7 other processes 17->37 file6 signatures7 process8 signatures9 39 svchost.exe 2 20->39         started        42 conhost.exe 20->42         started        44 timeout.exe 1 20->44         started        84 Uses schtasks.exe or at.exe to add and modify task schedules 22->84 46 conhost.exe 22->46         started        48 schtasks.exe 1 22->48         started        86 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 25->86 88 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->88 90 Tries to steal Mail credentials (via file / registry access) 29->90 92 Tries to harvest and steal ftp login credentials 29->92 94 Tries to harvest and steal browser information (history, passwords, etc) 29->94 process10 signatures11 96 Writes to foreign memory regions 39->96 98 Injects a PE file into a foreign processes 39->98 50 jsc.exe 39->50         started        54 jsc.exe 39->54         started        56 WerFault.exe 39->56         started        process12 dnsIp13 68 cp8nl.hyperhost.ua 185.174.175.187, 49720, 49722, 587 ITLDC-NLUA Ukraine 50->68 78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 50->78 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 50->80 82 Tries to steal Mail credentials (via file / registry access) 50->82 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.174.175.187
 cp8nl.hyperhost.ua Ukraine
21100 ITLDC-NLUA true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
cp8nl.hyperhost.ua 185.174.175.187 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true