Windows Analysis Report
LisectAVT_2403002A_16.exe

Overview

General Information

Sample name: LisectAVT_2403002A_16.exe
Analysis ID: 1482478
MD5: 2c10cb6c2e23b7712ebf4042d669cd09
SHA1: f86adb59bd065afd9195b9375271096f341842dc
SHA256: 546569a42f00553d7fda79e6961779afadd95ea8e6a8738ef344275f2b642244
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_16.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Avira: detection malicious, Label: TR/Kryptik.mzsma
Found malware configuration
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: LisectAVT_2403002A_16.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: /log.tmp
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <br>[
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: yyyy-MM-dd HH:mm:ss
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ]<br>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <br>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Time:
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <br>User Name:
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <br>Computer Name:
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <br>OSFullName:
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <br>CPU:
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <br>RAM:
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <br>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: IP Address:
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <br>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <hr>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: New
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: IP Address:
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: false
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: false
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: false
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: false
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: false
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: false
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: false
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: false
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: false
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: mail.mbarieservicesltd.com
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: saless@mbarieservicesltd.com
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: *o9H+18Q4%;M
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: iinfo@mbarieservicesltd.com
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: false
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: false
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: appdata
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: KTvkzEc
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: KTvkzEc.exe
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: KTvkzEc
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Type
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <br>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <hr>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <br>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <b>[
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ]</b> (
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: )<br>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {BACK}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {ALT+TAB}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {ALT+F4}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {TAB}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {ESC}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {Win}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {CAPSLOCK}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {KEYUP}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {KEYDOWN}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {KEYLEFT}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {KEYRIGHT}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {DEL}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {END}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {HOME}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {Insert}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {NumLock}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {PageDown}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {PageUp}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {ENTER}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {F1}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {F2}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {F3}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {F4}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {F5}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {F6}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {F7}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {F8}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {F9}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {F10}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {F11}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {F12}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: control
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {CTRL}
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: &amp;
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: &lt;
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: &gt;
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: &quot;
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <br><hr>Copied Text: <br>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <hr>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: logins
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: IE/Edge
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Windows Secure Note
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Windows Web Password Credential
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Windows Credential Picker Protector
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Web Credentials
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Windows Credentials
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Windows Domain Certificate Credential
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Windows Domain Password Credential
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Windows Extended Credential
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: 00000000-0000-0000-0000-000000000000
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SchemaId
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: pResourceElement
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: pIdentityElement
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: pPackageSid
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: pAuthenticatorElement
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: IE/Edge
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: UC Browser
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: UCBrowser\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Login Data
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: journal
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: wow_logins
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Safari for Windows
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <array>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <dict>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <string>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: </string>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <string>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: </string>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <data>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: </data>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: -convert xml1 -s -o "
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \fixed_keychain.xml"
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Microsoft\Credentials\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Microsoft\Credentials\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Microsoft\Credentials\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Microsoft\Credentials\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Microsoft\Protect\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: credential
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: QQ Browser
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Tencent\QQBrowser\User Data
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Default\EncryptedStorage
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Profile
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \EncryptedStorage
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: entries
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: category
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: str3
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: str2
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: blob0
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: password_value
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: IncrediMail
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: PopPassword
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SmtpPassword
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Software\IncrediMail\Identities\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Accounts_New
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: PopPassword
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SmtpPassword
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SmtpServer
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: EmailAddress
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Eudora
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: current
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Settings
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SavePasswordText
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Settings
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ReturnAddress
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Falkon Browser
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \falkon\profiles\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: profiles.ini
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: profiles.ini
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \browsedata.db
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: autofill
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ClawsMail
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Claws-mail
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \clawsrc
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \clawsrc
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: passkey0
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: master_passphrase_salt=(.+)
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \accountrc
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: smtp_server
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: address
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: account
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \passwordstorerc
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: {(.*),(.*)}(.*)
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Flock Browser
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: APPDATA
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Flock\Browser\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: signons3.txt
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: DynDns
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ALLUSERSPROFILE
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Dyn\Updater\config.dyndns
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: username=
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: password=
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: https://account.dyn.com/
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: t6KzXhCh
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ALLUSERSPROFILE
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Dyn\Updater\daemon.cfg
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: global
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: accounts
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: account.
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: username
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: account.
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Psi/Psi+
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: name
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Psi/Psi+
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: APPDATA
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Psi\profiles
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: APPDATA
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Psi+\profiles
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \accounts.xml
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \accounts.xml
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: OpenVPN
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Software\OpenVPN-GUI\configs\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: username
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: auth-data
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: entropy
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: USERPROFILE
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \OpenVPN\config\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: remote
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: remote
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: NordVPN
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: NordVPN
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: NordVpn.exe*
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: user.config
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: //setting[@name='Username']/value
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: //setting[@name='Password']/value
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: NordVPN
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Private Internet Access
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: %ProgramW6432%
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Private Internet Access\data
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ProgramFiles(x86)
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Private Internet Access\data
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \account.json
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: .*"username":"(.*?)"
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: .*"password":"(.*?)"
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Private Internet Access
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: privateinternetaccess.com
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: FileZilla
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: APPDATA
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \FileZilla\recentservers.xml
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: APPDATA
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \FileZilla\recentservers.xml
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <Server>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <Host>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <Host>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: </Host>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <Port>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: </Port>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <User>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <User>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: </User>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <Pass encoding="base64">
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <Pass encoding="base64">
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: </Pass>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <Pass>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <Pass encoding="base64">
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: </Pass>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: CoreFTP
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: User
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Host
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Port
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: hdfzpysvpzimorhk
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: WinSCP
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: HostName
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: UserName
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: PublicKeyFile
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: PortNumber
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: WinSCP
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ABCDEF
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Flash FXP
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: port
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: user
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: pass
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: quick.dat
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Sites.dat
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \FlashFXP\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \FlashFXP\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: FTP Navigator
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SystemDrive
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \FTP Navigator\Ftplist.txt
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Server
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: No Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: User
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SmartFTP
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: APPDATA
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: WS_FTP
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: appdata
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: HOST
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: PWD=
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: PWD=
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: FtpCommander
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SystemDrive
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SystemDrive
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SystemDrive
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \cftp\Ftplist.txt
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ;Password=
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ;User=
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ;Server=
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ;Port=
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ;Port=
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ;Password=
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ;User=
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ;Anonymous=
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: FTPGetter
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \FTPGetter\servers.xml
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <server>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <server_ip>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <server_ip>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: </server_ip>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <server_port>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: </server_port>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <server_user_name>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <server_user_name>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: </server_user_name>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <server_user_password>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: <server_user_password>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: </server_user_password>
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: FTPGetter
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: The Bat!
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: appdata
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \The Bat!
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Account.CFN
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Account.CFN
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Becky!
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: DataDir
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Folder.lst
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Mailbox.ini
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Account
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: PassWd
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Account
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SMTPServer
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Account
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: MailAddress
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Becky!
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Outlook
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Email
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: IMAP Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: POP3 Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: HTTP Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SMTP Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Email
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Email
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Email
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: IMAP Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: POP3 Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: HTTP Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SMTP Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Server
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Windows Mail App
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Email
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Server
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SchemaId
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: pResourceElement
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: pIdentityElement
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: pPackageSid
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: pAuthenticatorElement
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: syncpassword
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: mailoutgoing
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: FoxMail
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Executable
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: FoxmailPath
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Storage\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Storage\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \mail
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \mail
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Accounts\Account.rec0
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Accounts\Account.rec0
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Account.stg
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Account.stg
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: POP3Host
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SMTPHost
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: IncomingServer
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Account
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: MailAddress
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: POP3Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Opera Mail
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: opera:
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: PocoMail
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: appdata
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Pocomail\accounts.ini
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Email
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: POPPass
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SMTPPass
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SMTP
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: eM Client
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: eM Client\accounts.dat
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: eM Client
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Accounts
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: "Username":"
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: "Secret":"
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: "ProviderName":"
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: o6806642kbM7c5
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Mailbird
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SenderIdentities
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Accounts
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \Mailbird\Store\Store.db
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Server_Host
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Accounts
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Email
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Username
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: EncryptedPassword
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Mailbird
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: RealVNC 4.x
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: RealVNC 3.x
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SOFTWARE\RealVNC\vncserver
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: RealVNC 4.x
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: RealVNC 3.x
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Software\ORL\WinVNC3
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: TightVNC
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Software\TightVNC\Server
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: TightVNC
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Software\TightVNC\Server
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: PasswordViewOnly
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: TightVNC ControlPassword
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Software\TightVNC\Server
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ControlPassword
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: TigerVNC
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Software\TigerVNC\Server
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Password
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: UltraVNC
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ProgramFiles(x86)
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: passwd
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: UltraVNC
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ProgramFiles(x86)
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: passwd2
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: UltraVNC
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ProgramFiles
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: passwd
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: UltraVNC
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ProgramFiles
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: passwd2
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: UltraVNC
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ProgramFiles
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: passwd
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: UltraVNC
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ProgramFiles
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: passwd2
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: UltraVNC
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ProgramFiles(x86)
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: passwd
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: UltraVNC
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: ProgramFiles(x86)
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: passwd2
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: JDownloader 2.0
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: JDownloader 2.0\cfg
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: JDownloader 2.0\cfg
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Paltalk
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: Software\A.V.M.\Paltalk NG\common_settings\core\users\creds\
Source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack String decryptor: nickname
Uses 32bit PE files
Source: LisectAVT_2403002A_16.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: LisectAVT_2403002A_16.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: FPzK.pdb source: LisectAVT_2403002A_16.exe, NxmtwwVGOtEdjd.exe.0.dr
Source: Binary string: FPzK.pdbSHA256 source: LisectAVT_2403002A_16.exe, NxmtwwVGOtEdjd.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 4x nop then jmp 05A8CF23h 0_2_05A8CF7B
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 4x nop then jmp 0795C1ACh 10_2_0795C204
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 199.79.62.115:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.79.62.115 199.79.62.115
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 199.79.62.115:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: mail.mbarieservicesltd.com
Source: global traffic DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: LisectAVT_2403002A_16.exe, 00000009.00000002.2901886951.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, NxmtwwVGOtEdjd.exe, 0000000F.00000002.2902484873.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.mbarieservicesltd.com
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1722615685.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, NxmtwwVGOtEdjd.exe, 0000000A.00000002.1786665418.000000000323E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726399605.0000000005990000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1726982269.0000000007062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_0130DC74 0_2_0130DC74
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_05A80620 0_2_05A80620
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_05A80611 0_2_05A80611
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_05A80006 0_2_05A80006
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_05A80040 0_2_05A80040
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_05A872B8 0_2_05A872B8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_05A88F48 0_2_05A88F48
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_05A88F58 0_2_05A88F58
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_05A86E80 0_2_05A86E80
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_05A88B20 0_2_05A88B20
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_05A86A15 0_2_05A86A15
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_05A86A48 0_2_05A86A48
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 9_2_01384140 9_2_01384140
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 9_2_01384D58 9_2_01384D58
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 9_2_01384488 9_2_01384488
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 9_2_06603934 9_2_06603934
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 9_2_066019A0 9_2_066019A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 9_2_0668C218 9_2_0668C218
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 9_2_06686338 9_2_06686338
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 9_2_06680040 9_2_06680040
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 9_2_0668A8F0 9_2_0668A8F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 9_2_066894B0 9_2_066894B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 9_2_06689C38 9_2_06689C38
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 9_2_066839E8 9_2_066839E8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 9_2_06680006 9_2_06680006
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 9_2_066839D8 9_2_066839D8
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_030CDC74 10_2_030CDC74
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_05737030 10_2_05737030
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_05730040 10_2_05730040
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_05730032 10_2_05730032
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_0573702B 10_2_0573702B
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_07950040 10_2_07950040
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_07953E18 10_2_07953E18
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_0795E688 10_2_0795E688
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_07950611 10_2_07950611
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_07950620 10_2_07950620
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_0795E668 10_2_0795E668
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_079572B8 10_2_079572B8
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_0795001E 10_2_0795001E
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_07958F58 10_2_07958F58
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_07958F48 10_2_07958F48
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_07956E80 10_2_07956E80
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_07953E0A 10_2_07953E0A
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_07958B20 10_2_07958B20
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_07956A0D 10_2_07956A0D
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_07956A48 10_2_07956A48
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 15_2_00FA4140 15_2_00FA4140
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 15_2_00FA4D58 15_2_00FA4D58
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 15_2_00FA4488 15_2_00FA4488
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 15_2_0630AC80 15_2_0630AC80
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 15_2_063004C8 15_2_063004C8
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 15_2_0630F578 15_2_0630F578
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 15_2_0630E5B8 15_2_0630E5B8
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 15_2_06309358 15_2_06309358
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 15_2_06307161 15_2_06307161
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1729697957.000000000757A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXEj% vs LisectAVT_2403002A_16.exe
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1718798256.00000000010FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002A_16.exe
Source: LisectAVT_2403002A_16.exe, 00000000.00000000.1647863281.0000000000BDA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFPzK.exe< vs LisectAVT_2403002A_16.exe
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1730117949.0000000007B90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_16.exe
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1723431532.00000000041AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs LisectAVT_2403002A_16.exe
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1723431532.00000000041AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_16.exe
Source: LisectAVT_2403002A_16.exe, 00000000.00000002.1722615685.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs LisectAVT_2403002A_16.exe
Source: LisectAVT_2403002A_16.exe, 00000009.00000002.2898676233.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs LisectAVT_2403002A_16.exe
Source: LisectAVT_2403002A_16.exe Binary or memory string: OriginalFilenameFPzK.exe< vs LisectAVT_2403002A_16.exe
Uses 32bit PE files
Source: LisectAVT_2403002A_16.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: LisectAVT_2403002A_16.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NxmtwwVGOtEdjd.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, O.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, O.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, P.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, P.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, N.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, N.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, N.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, N.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, Icw0P7E5I25dt8WiCY.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, ioHoB3xyTTvGj5kpgh.cs Security API names: _0020.SetAccessControl
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, ioHoB3xyTTvGj5kpgh.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, ioHoB3xyTTvGj5kpgh.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, Icw0P7E5I25dt8WiCY.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, ioHoB3xyTTvGj5kpgh.cs Security API names: _0020.SetAccessControl
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, ioHoB3xyTTvGj5kpgh.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, ioHoB3xyTTvGj5kpgh.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@23/15@2/1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe File created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Mutant created: \Sessions\1\BaseNamedObjects\nrmexAQCdAxIpmz
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7920:120:WilError_03
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe File created: C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp Jump to behavior
Source: LisectAVT_2403002A_16.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: LisectAVT_2403002A_16.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe File read: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpCD2C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpCD2C.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: LisectAVT_2403002A_16.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: LisectAVT_2403002A_16.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: LisectAVT_2403002A_16.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: FPzK.pdb source: LisectAVT_2403002A_16.exe, NxmtwwVGOtEdjd.exe.0.dr
Source: Binary string: FPzK.pdbSHA256 source: LisectAVT_2403002A_16.exe, NxmtwwVGOtEdjd.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, ioHoB3xyTTvGj5kpgh.cs .Net Code: MWmr0l58sc System.Reflection.Assembly.Load(byte[])
Source: 0.2.LisectAVT_2403002A_16.exe.56e0000.6.raw.unpack, wehuuoKhMKMbnQu72K.cs .Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
Source: 0.2.LisectAVT_2403002A_16.exe.2eb44ec.2.raw.unpack, wehuuoKhMKMbnQu72K.cs .Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, ioHoB3xyTTvGj5kpgh.cs .Net Code: MWmr0l58sc System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: LisectAVT_2403002A_16.exe Static PE information: 0xFEADA566 [Tue May 26 14:55:34 2105 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_01304779 push esi; iretd 0_2_0130477A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_0130477B push ebp; iretd 0_2_01304782
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_013047B1 push esi; iretd 0_2_013047B2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_013046B8 push edx; iretd 0_2_013046BA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_013046BB push edx; iretd 0_2_013046C2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_0130AD27 pushfd ; iretd 0_2_0130AD2A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_0130AD2B pushfd ; iretd 0_2_0130AD32
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 0_2_05A88248 pushad ; iretd 0_2_05A88251
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 9_2_0668FCEF push ss; iretd 9_2_0668FCF0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Code function: 9_2_0668FCAF push ss; iretd 9_2_0668FCBD
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_07952520 push dword ptr [esi+5D906B4Fh]; ret 10_2_07952573
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 10_2_07958248 pushad ; iretd 10_2_07958251
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 15_2_06308627 pushad ; iretd 15_2_06308635
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 15_2_06305CA0 pushfd ; iretd 15_2_06305CAD
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Code function: 15_2_06303D5F push es; ret 15_2_06303D70
Source: LisectAVT_2403002A_16.exe Static PE information: section name: .text entropy: 7.613224313381159
Source: NxmtwwVGOtEdjd.exe.0.dr Static PE information: section name: .text entropy: 7.613224313381159
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, j9YWqGoNkeAufjqtfr.cs High entropy of concatenated method names: 'SwVBC7ZCD1', 'jhUBUErGuT', 'bffBomOKCf', 'W4uBflm9Px', 'UEjBMaa25b', 'MPCBNmn75V', 'Ig1B9KdYih', 'OsrBLCjqaJ', 'wsXBRXOfsc', 'FleBgTAvaX'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, ioHoB3xyTTvGj5kpgh.cs High entropy of concatenated method names: 'G9ndk8TnsG', 'jg3dZIJEHi', 'LjBdVa96e6', 'njPd8sy7Bo', 'kxQda3li6Z', 'ktdd2esIcl', 'JrRdebPBPP', 'a9edxPJqAd', 'Pfjd1MdnoS', 'CxUdIT8csT'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, WEkvyEiPg4exp1JWJr.cs High entropy of concatenated method names: 'PZc8DdvK17', 'l9p87q38HQ', 'j5W8ExCVDC', 'gV68igLBCF', 'KsN8BH6Ooe', 'NcJ8QB2txh', 'iyL8s6pMM1', 'qVj8cTJkLf', 'g8086nvp58', 'krU8GwMf5Z'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, rbl15J4iXuiF3yd9Pd.cs High entropy of concatenated method names: 'jOI63gVPXi', 'n296d5fH6H', 'Ul06rRK1yH', 'CMM6ZfhKG5', 'X5f6VZ7J6u', 'RES6aFvqWa', 'YxO621gL0n', 'evMcn1TQak', 'AhgcAtQIsF', 'WfYc5Ak4NU'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, Icw0P7E5I25dt8WiCY.cs High entropy of concatenated method names: 'Gk3Vojd3xF', 'UpXVfsYioH', 'W48VHS9vLY', 'H5RVj2QvDd', 'rsNVSgaler', 'bw3VuusPrG', 'xqWVn6ipha', 'C8kVAN9vCL', 'ehcV5kxvk1', 'QXSV4KGidN'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, XwoIjq3XxNvPNWGVI52.cs High entropy of concatenated method names: 'S9I6quAppn', 'JlE6PcGTqv', 'SpB60KOY5L', 'qjP6DTT0Do', 'xvT6FBq7tV', 'vsK67TUO69', 'KE46ykTPUU', 'xK26Ei4Otb', 'Jov6irQGiN', 'Aal6mlCDlR'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, OPdVgnRx7UCY8cpdFo.cs High entropy of concatenated method names: 'TfZ2HWlAL0', 'CDH2jiyDlM', 'PsY2SKfM56', 'ToString', 'nRi2uMGmfV', 'mGS2ns9kQw', 'VW1wfe4cQXhE4QS8t0q', 'gIuVL14qtxlhqLcSKme', 'V9HCGv4MNGDARBt7yYF'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, iKYG0MmubIw9OVMBtg.cs High entropy of concatenated method names: 'NfWaFrMeCy', 'ocvayym4Vb', 'Qxt8NPGEbw', 'bge89L9aFL', 'FrV8L75enC', 'nCK8RO97jH', 'y8H8gXfMji', 'cgq8l6SElR', 'KXV8wZV4Ij', 'J1J8CpPc5G'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, BAqoVNzExaAeveETi0.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nGt6KZD8kW', 'B2m6Bd1g5G', 'x5b6QwrK0C', 'l186sOqVHA', 'KWC6c28yta', 'S1x660KrN3', 'qx36G2ePrT'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, owyQps3JsOel92LKCfT.cs High entropy of concatenated method names: 'yyPGquyU4J', 'HOBGPMb2R8', 'fbcG0exi88', 'm4Xi4D0WUGYwl2iwreo', 'PuZ1ee0GpkK7MHMmbUx', 'kDh9Ln0LiWLB6pRTekC', 'zlLPV70uhF5v6O9SMMp', 'MWOUVt0zq9CgoKTPbNF'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, lvrY9n9k7lkh9Cl70l.cs High entropy of concatenated method names: 'dyU2vNq71H', 'bRk2qHAGtX', 'Qpn20Ie8IK', 'Dil2DQptVJ', 'y1k27iNsb5', 'imx2yTZCEx', 'CPt2ivNXMG', 'iO42m3uRWh', 'PlRYxG4EB672Ssut5jP', 's5Cqvv4dQVZ9udH5QQS'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, CrVdkuWHH6itGcKud7.cs High entropy of concatenated method names: 'cs42ktJLwq', 'L0R2Vd9YmN', 'j2c2apgiGR', 'FVi2eCaI7X', 'F2X2x6jpsg', 'oSOaSIiBMG', 'lmtauUo0RN', 'fHFann456d', 'EG4aAj3BkZ', 'FVaa5gAE3p'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, TNI5rOjXvELxKJP6Fj.cs High entropy of concatenated method names: 'CfksIuq50j', 'kvuspBFKxM', 'ToString', 'dR8sZa01jf', 'oBSsVBpPcp', 'EDos8Jm6MH', 'W6YsaP3s3U', 'lG5s2hT04B', 'FJ5seKuLH4', 'bJ9sxIrLJu'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, dMt11SJRe8APP9s2WL.cs High entropy of concatenated method names: 'DfW0LGWf8', 'yl0DiW3Mk', 'XO87wDb8b', 'ljCyYh3ms', 'buqi4rcbN', 'ipvmXVMfp', 'TVQXYPh1C0sAYF3Uxd', 'UlSnaZ81YHSEFdtVni', 'pOZMDMIS6fcFdyJc9P', 'RA0cppkBm'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, QG7R5hgsvLbIepY6MR.cs High entropy of concatenated method names: 'Qp9eZZB71w', 'sLGe8FrGFy', 'X5we2jcUuR', 'nDr24KU9Ms', 'itR2zuHXIZ', 'niXeXg3iOh', 'gk6e3O0EKL', 'iDleJWGD9X', 'OjiedqZRku', 'mGQeruVZC1'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, vVZlyfwE6D6VO1P3fu.cs High entropy of concatenated method names: 'IS6eqWM1UO', 'aqqePdd4Ww', 'dQoe0qsNj8', 'ucbeDX7HC8', 'NcGeFZ58HE', 'SYRe7ktiZp', 'GRkey9vBMa', 'eMmeEgpjoi', 'gfueiotCx9', 'Rd3em2EVjB'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, yp7P2SryFTLLqPCLLF.cs High entropy of concatenated method names: 'S393ecw0P7', 'YI23x5dt8W', 'EPg3I4exp1', 'cWJ3pr2KYG', 'gMB3Btg7rV', 'dku3QHH6it', 'Tga5uvB9jYMQHAFdI2', 'YHSRAKNCSCobJVmv0l', 'K1c331286p', 'zrj3dLrk18'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, WTyLNRuTreLPB4U01m.cs High entropy of concatenated method names: 'CQMsApFQ0g', 'OGIs4PsFeP', 'QdAcXpX1b3', 'fPmc3asCCe', 'haUsTyBEYH', 'Y1DsUeR6fJ', 'XpssbgB0KU', 'yOSsoK7bGf', 'MMcsfgZliF', 'dC8sH0qY0s'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, NpB9h6VafMhAx1WsJp.cs High entropy of concatenated method names: 'Dispose', 'AJi35vDi97', 'BTHJMf9HMs', 'tAuccFwjJ9', 'IHh34UJHEi', 'Hv53zFuv68', 'ProcessDialogKey', 'niWJXfxvCg', 'V7eJ31vJQV', 'AXCJJcbl15'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, ShUJHEAiMv5Fuv68Ki.cs High entropy of concatenated method names: 'reicZxmOIa', 'mVrcVTteJu', 'qkxc8Byeb0', 'yDEca2XNs6', 'S2lc22ZKj2', 'uv5ceGNQjL', 'pwhcxLYg6y', 'VfLc1iJT7L', 'CkXcI4I5TX', 'DUdcpuyU5N'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, z2DRmH3drgXDZwPhdrF.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VciGoABM39', 'wm2GfLRJ7I', 'UqgGHbEgff', 'vfPGjQqj3q', 'uVRGS29YT5', 'HeOGu5CcVi', 'C0oGnAM5Qv'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, yWjIbkbFk9uQinWgPH.cs High entropy of concatenated method names: 'PGbKEHongF', 'qe7KiRBmqH', 'PmCKW3fLEF', 'qaFKMKqOke', 'IddK9nSrCj', 'qPnKLVpZk7', 'mk2KgF0FaP', 'TyJKlLtkL3', 'XUwKCXwIjQ', 'F3GKThIsTt'
Source: 0.2.LisectAVT_2403002A_16.exe.7b90000.8.raw.unpack, GfxvCg5n7e1vJQVDXC.cs High entropy of concatenated method names: 'B66cWq08vZ', 'PjOcMQSOoJ', 'HENcNl88o6', 'bKEc9YpV10', 'lgtcoGe4TI', 'UsNcLkoHPf', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.LisectAVT_2403002A_16.exe.56e0000.6.raw.unpack, kdFvaMFVPKs73pA7Ae.cs High entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
Source: 0.2.LisectAVT_2403002A_16.exe.56e0000.6.raw.unpack, DD.cs High entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
Source: 0.2.LisectAVT_2403002A_16.exe.56e0000.6.raw.unpack, ihWImL1h2qjtIkVYDh.cs High entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
Source: 0.2.LisectAVT_2403002A_16.exe.56e0000.6.raw.unpack, oImfMJtvGUo8fMQNBQ.cs High entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
Source: 0.2.LisectAVT_2403002A_16.exe.56e0000.6.raw.unpack, wehuuoKhMKMbnQu72K.cs High entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
Source: 0.2.LisectAVT_2403002A_16.exe.2eb44ec.2.raw.unpack, kdFvaMFVPKs73pA7Ae.cs High entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
Source: 0.2.LisectAVT_2403002A_16.exe.2eb44ec.2.raw.unpack, DD.cs High entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
Source: 0.2.LisectAVT_2403002A_16.exe.2eb44ec.2.raw.unpack, ihWImL1h2qjtIkVYDh.cs High entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
Source: 0.2.LisectAVT_2403002A_16.exe.2eb44ec.2.raw.unpack, oImfMJtvGUo8fMQNBQ.cs High entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
Source: 0.2.LisectAVT_2403002A_16.exe.2eb44ec.2.raw.unpack, wehuuoKhMKMbnQu72K.cs High entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, j9YWqGoNkeAufjqtfr.cs High entropy of concatenated method names: 'SwVBC7ZCD1', 'jhUBUErGuT', 'bffBomOKCf', 'W4uBflm9Px', 'UEjBMaa25b', 'MPCBNmn75V', 'Ig1B9KdYih', 'OsrBLCjqaJ', 'wsXBRXOfsc', 'FleBgTAvaX'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, ioHoB3xyTTvGj5kpgh.cs High entropy of concatenated method names: 'G9ndk8TnsG', 'jg3dZIJEHi', 'LjBdVa96e6', 'njPd8sy7Bo', 'kxQda3li6Z', 'ktdd2esIcl', 'JrRdebPBPP', 'a9edxPJqAd', 'Pfjd1MdnoS', 'CxUdIT8csT'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, WEkvyEiPg4exp1JWJr.cs High entropy of concatenated method names: 'PZc8DdvK17', 'l9p87q38HQ', 'j5W8ExCVDC', 'gV68igLBCF', 'KsN8BH6Ooe', 'NcJ8QB2txh', 'iyL8s6pMM1', 'qVj8cTJkLf', 'g8086nvp58', 'krU8GwMf5Z'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, rbl15J4iXuiF3yd9Pd.cs High entropy of concatenated method names: 'jOI63gVPXi', 'n296d5fH6H', 'Ul06rRK1yH', 'CMM6ZfhKG5', 'X5f6VZ7J6u', 'RES6aFvqWa', 'YxO621gL0n', 'evMcn1TQak', 'AhgcAtQIsF', 'WfYc5Ak4NU'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, Icw0P7E5I25dt8WiCY.cs High entropy of concatenated method names: 'Gk3Vojd3xF', 'UpXVfsYioH', 'W48VHS9vLY', 'H5RVj2QvDd', 'rsNVSgaler', 'bw3VuusPrG', 'xqWVn6ipha', 'C8kVAN9vCL', 'ehcV5kxvk1', 'QXSV4KGidN'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, XwoIjq3XxNvPNWGVI52.cs High entropy of concatenated method names: 'S9I6quAppn', 'JlE6PcGTqv', 'SpB60KOY5L', 'qjP6DTT0Do', 'xvT6FBq7tV', 'vsK67TUO69', 'KE46ykTPUU', 'xK26Ei4Otb', 'Jov6irQGiN', 'Aal6mlCDlR'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, OPdVgnRx7UCY8cpdFo.cs High entropy of concatenated method names: 'TfZ2HWlAL0', 'CDH2jiyDlM', 'PsY2SKfM56', 'ToString', 'nRi2uMGmfV', 'mGS2ns9kQw', 'VW1wfe4cQXhE4QS8t0q', 'gIuVL14qtxlhqLcSKme', 'V9HCGv4MNGDARBt7yYF'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, iKYG0MmubIw9OVMBtg.cs High entropy of concatenated method names: 'NfWaFrMeCy', 'ocvayym4Vb', 'Qxt8NPGEbw', 'bge89L9aFL', 'FrV8L75enC', 'nCK8RO97jH', 'y8H8gXfMji', 'cgq8l6SElR', 'KXV8wZV4Ij', 'J1J8CpPc5G'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, BAqoVNzExaAeveETi0.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nGt6KZD8kW', 'B2m6Bd1g5G', 'x5b6QwrK0C', 'l186sOqVHA', 'KWC6c28yta', 'S1x660KrN3', 'qx36G2ePrT'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, owyQps3JsOel92LKCfT.cs High entropy of concatenated method names: 'yyPGquyU4J', 'HOBGPMb2R8', 'fbcG0exi88', 'm4Xi4D0WUGYwl2iwreo', 'PuZ1ee0GpkK7MHMmbUx', 'kDh9Ln0LiWLB6pRTekC', 'zlLPV70uhF5v6O9SMMp', 'MWOUVt0zq9CgoKTPbNF'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, lvrY9n9k7lkh9Cl70l.cs High entropy of concatenated method names: 'dyU2vNq71H', 'bRk2qHAGtX', 'Qpn20Ie8IK', 'Dil2DQptVJ', 'y1k27iNsb5', 'imx2yTZCEx', 'CPt2ivNXMG', 'iO42m3uRWh', 'PlRYxG4EB672Ssut5jP', 's5Cqvv4dQVZ9udH5QQS'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, CrVdkuWHH6itGcKud7.cs High entropy of concatenated method names: 'cs42ktJLwq', 'L0R2Vd9YmN', 'j2c2apgiGR', 'FVi2eCaI7X', 'F2X2x6jpsg', 'oSOaSIiBMG', 'lmtauUo0RN', 'fHFann456d', 'EG4aAj3BkZ', 'FVaa5gAE3p'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, TNI5rOjXvELxKJP6Fj.cs High entropy of concatenated method names: 'CfksIuq50j', 'kvuspBFKxM', 'ToString', 'dR8sZa01jf', 'oBSsVBpPcp', 'EDos8Jm6MH', 'W6YsaP3s3U', 'lG5s2hT04B', 'FJ5seKuLH4', 'bJ9sxIrLJu'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, dMt11SJRe8APP9s2WL.cs High entropy of concatenated method names: 'DfW0LGWf8', 'yl0DiW3Mk', 'XO87wDb8b', 'ljCyYh3ms', 'buqi4rcbN', 'ipvmXVMfp', 'TVQXYPh1C0sAYF3Uxd', 'UlSnaZ81YHSEFdtVni', 'pOZMDMIS6fcFdyJc9P', 'RA0cppkBm'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, QG7R5hgsvLbIepY6MR.cs High entropy of concatenated method names: 'Qp9eZZB71w', 'sLGe8FrGFy', 'X5we2jcUuR', 'nDr24KU9Ms', 'itR2zuHXIZ', 'niXeXg3iOh', 'gk6e3O0EKL', 'iDleJWGD9X', 'OjiedqZRku', 'mGQeruVZC1'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, vVZlyfwE6D6VO1P3fu.cs High entropy of concatenated method names: 'IS6eqWM1UO', 'aqqePdd4Ww', 'dQoe0qsNj8', 'ucbeDX7HC8', 'NcGeFZ58HE', 'SYRe7ktiZp', 'GRkey9vBMa', 'eMmeEgpjoi', 'gfueiotCx9', 'Rd3em2EVjB'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, yp7P2SryFTLLqPCLLF.cs High entropy of concatenated method names: 'S393ecw0P7', 'YI23x5dt8W', 'EPg3I4exp1', 'cWJ3pr2KYG', 'gMB3Btg7rV', 'dku3QHH6it', 'Tga5uvB9jYMQHAFdI2', 'YHSRAKNCSCobJVmv0l', 'K1c331286p', 'zrj3dLrk18'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, WTyLNRuTreLPB4U01m.cs High entropy of concatenated method names: 'CQMsApFQ0g', 'OGIs4PsFeP', 'QdAcXpX1b3', 'fPmc3asCCe', 'haUsTyBEYH', 'Y1DsUeR6fJ', 'XpssbgB0KU', 'yOSsoK7bGf', 'MMcsfgZliF', 'dC8sH0qY0s'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, NpB9h6VafMhAx1WsJp.cs High entropy of concatenated method names: 'Dispose', 'AJi35vDi97', 'BTHJMf9HMs', 'tAuccFwjJ9', 'IHh34UJHEi', 'Hv53zFuv68', 'ProcessDialogKey', 'niWJXfxvCg', 'V7eJ31vJQV', 'AXCJJcbl15'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, ShUJHEAiMv5Fuv68Ki.cs High entropy of concatenated method names: 'reicZxmOIa', 'mVrcVTteJu', 'qkxc8Byeb0', 'yDEca2XNs6', 'S2lc22ZKj2', 'uv5ceGNQjL', 'pwhcxLYg6y', 'VfLc1iJT7L', 'CkXcI4I5TX', 'DUdcpuyU5N'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, z2DRmH3drgXDZwPhdrF.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VciGoABM39', 'wm2GfLRJ7I', 'UqgGHbEgff', 'vfPGjQqj3q', 'uVRGS29YT5', 'HeOGu5CcVi', 'C0oGnAM5Qv'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, yWjIbkbFk9uQinWgPH.cs High entropy of concatenated method names: 'PGbKEHongF', 'qe7KiRBmqH', 'PmCKW3fLEF', 'qaFKMKqOke', 'IddK9nSrCj', 'qPnKLVpZk7', 'mk2KgF0FaP', 'TyJKlLtkL3', 'XUwKCXwIjQ', 'F3GKThIsTt'
Source: 0.2.LisectAVT_2403002A_16.exe.422d070.3.raw.unpack, GfxvCg5n7e1vJQVDXC.cs High entropy of concatenated method names: 'B66cWq08vZ', 'PjOcMQSOoJ', 'HENcNl88o6', 'bKEc9YpV10', 'lgtcoGe4TI', 'UsNcLkoHPf', 'Next', 'Next', 'Next', 'NextBytes'
Drops PE files
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe File created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_16.exe PID: 6668, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NxmtwwVGOtEdjd.exe PID: 7680, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Memory allocated: 1300000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Memory allocated: 2E90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Memory allocated: 4E90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Memory allocated: 7C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Memory allocated: 8C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Memory allocated: 8EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Memory allocated: 9EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Memory allocated: 1340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Memory allocated: 2E70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Memory allocated: 14A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Memory allocated: 2FB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Memory allocated: 31E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Memory allocated: 3020000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Memory allocated: 79D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Memory allocated: 89D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Memory allocated: 79D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Memory allocated: F60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Memory allocated: 2CE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Memory allocated: 2A70000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8436 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8182 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 505 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Window / User API: threadDelayed 2784 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Window / User API: threadDelayed 1041 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Window / User API: threadDelayed 1143
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Window / User API: threadDelayed 2365
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 2060 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7540 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7444 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7576 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7428 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7628 Thread sleep count: 2784 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -99891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -99776s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -99671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -99548s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7628 Thread sleep count: 1041 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -99296s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -99172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -99059s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -98938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -98813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -98704s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -98594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -98454s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -98329s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -98219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -98107s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -97999s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -97774s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -97469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -97279s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe TID: 7728 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 7740 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8044 Thread sleep count: 1143 > 30
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8044 Thread sleep count: 2365 > 30
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -99671s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -99562s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -99342s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -99226s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -99119s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -98843s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -98634s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -98499s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -98336s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -98233s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -98109s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -97999s >= -30000s
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe TID: 8048 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 99891 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 99776 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 99671 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 99548 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 99296 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 99172 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 99059 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 98938 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 98813 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 98704 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 98594 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 98454 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 98329 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 98219 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 98107 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 97999 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 97774 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 97469 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 97279 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 99671
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 99562
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 99453
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 99342
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 99226
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 99119
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 98843
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 98634
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 98499
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 98336
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 98233
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 98109
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 97999
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Thread delayed: delay time: 922337203685477
Source: LisectAVT_2403002A_16.exe, 00000009.00000002.2899755875.00000000011EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|
Source: NxmtwwVGOtEdjd.exe, 0000000F.00000002.2900321221.000000000100C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllPROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Win6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Memory written: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Memory written: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpB5CB.tmp" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe "C:\Users\user\Desktop\LisectAVT_2403002A_16.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NxmtwwVGOtEdjd" /XML "C:\Users\user\AppData\Local\Temp\tmpCD2C.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Process created: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe "C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Queries volume information: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Queries volume information: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 10.2.NxmtwwVGOtEdjd.exe.45296a0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.NxmtwwVGOtEdjd.exe.4500680.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.NxmtwwVGOtEdjd.exe.45296a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.NxmtwwVGOtEdjd.exe.4500680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2898350883.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1787617220.0000000004500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1723431532.00000000041AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0000000F.00000002.2902484873.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2901886951.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2901886951.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2902484873.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_16.exe PID: 7544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NxmtwwVGOtEdjd.exe PID: 7972, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_16.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\NxmtwwVGOtEdjd.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 00000009.00000002.2901886951.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2902484873.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_16.exe PID: 7544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NxmtwwVGOtEdjd.exe PID: 7972, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 10.2.NxmtwwVGOtEdjd.exe.45296a0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.NxmtwwVGOtEdjd.exe.4500680.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.NxmtwwVGOtEdjd.exe.45296a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.NxmtwwVGOtEdjd.exe.4500680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_16.exe.41d8730.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_16.exe.41af710.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2898350883.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1787617220.0000000004500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1723431532.00000000041AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0000000F.00000002.2902484873.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2901886951.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2901886951.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2902484873.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_16.exe PID: 7544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NxmtwwVGOtEdjd.exe PID: 7972, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482478 Sample: LisectAVT_2403002A_16.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 48 mail.mbarieservicesltd.com 2->48 50 171.39.242.20.in-addr.arpa 2->50 54 Found malware configuration 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 60 7 other signatures 2->60 8 LisectAVT_2403002A_16.exe 7 2->8         started        12 NxmtwwVGOtEdjd.exe 5 2->12         started        signatures3 process4 file5 40 C:\Users\user\AppData\...40xmtwwVGOtEdjd.exe, PE32 8->40 dropped 42 C:\...42xmtwwVGOtEdjd.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmpB5CB.tmp, XML 8->44 dropped 46 C:\Users\...\LisectAVT_2403002A_16.exe.log, ASCII 8->46 dropped 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 8->64 66 Adds a directory exclusion to Windows Defender 8->66 14 LisectAVT_2403002A_16.exe 2 8->14         started        18 powershell.exe 22 8->18         started        20 powershell.exe 23 8->20         started        28 2 other processes 8->28 68 Antivirus detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 72 Injects a PE file into a foreign processes 12->72 22 NxmtwwVGOtEdjd.exe 12->22         started        24 schtasks.exe 12->24         started        26 NxmtwwVGOtEdjd.exe 12->26         started        signatures6 process7 dnsIp8 52 mail.mbarieservicesltd.com 199.79.62.115, 49735, 49736, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->52 74 Loading BitLocker PowerShell Module 18->74 30 conhost.exe 18->30         started        32 WmiPrvSE.exe 18->32         started        34 conhost.exe 20->34         started        76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->76 78 Tries to steal Mail credentials (via file / registry access) 22->78 80 Tries to harvest and steal ftp login credentials 22->80 82 Tries to harvest and steal browser information (history, passwords, etc) 22->82 36 conhost.exe 24->36         started        38 conhost.exe 28->38         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
199.79.62.115
 mail.mbarieservicesltd.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS true

Contacted Domains

Name IP Active
mail.mbarieservicesltd.com 199.79.62.115 true
171.39.242.20.in-addr.arpa unknown unknown