Windows Analysis Report
LisectAVT_2403002A_133.exe

Overview

General Information

Sample name: LisectAVT_2403002A_133.exe
Analysis ID: 1482509
MD5: 56808e1595200230cae4ae17b5dbb869
SHA1: ce0935fefed25268069331ba6277b4d14c385e28
SHA256: 1a38e29dff73f042b8abb0ed1398a37eefa8fe3f6030e27a9a22b8964263b146
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_133.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Avira: detection malicious, Label: HEUR/AGEN.1323752
Found malware configuration
Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.kabeercommodities.com", "Username": "export@kabeercommodities.com", "Password": "w{A6H.o&sz%g"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: LisectAVT_2403002A_133.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: LisectAVT_2403002A_133.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: LisectAVT_2403002A_133.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4x nop then jmp 02A572EFh 4_2_02A5696C
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 4x nop then jmp 02716507h 19_2_02715B84

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49706 -> 45.91.139.1:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.91.139.1 45.91.139.1
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MEER-ASmeerfarbigGmbHCoKGDE MEER-ASmeerfarbigGmbHCoKGDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.7:49706 -> 45.91.139.1:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: mail.kabeercommodities.com
Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2539654353.0000000006927000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micros;
Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.000000000307C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kabeercommodities.com
Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.000000000307C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.kabeercommodities.com
Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2526645083.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2526645083.0000000001676000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2526896258.0000000001249000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r10.i.lencr.org/09
Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2526645083.0000000001676000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2526896258.0000000001249000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r10.o.lencr.org0#
Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1343518581.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.0000000003131000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000013.00000002.1402251524.0000000002810000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2526645083.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2526896258.0000000001214000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2526645083.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2526896258.0000000001214000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2539536816.00000000063CB000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000004.00000002.1344574120.0000000004921000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000013.00000002.1403560028.0000000003AE1000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2522255682.0000000000415000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000004.00000002.1344574120.0000000004921000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.0000000003131000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000013.00000002.1403560028.0000000003AE1000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003001000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2522255682.0000000000415000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.0000000003131000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2527987214.0000000003131000.00000004.00000800.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2528847260.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49707 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, NDL2m67zO.cs .Net Code: recg
Source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.raw.unpack, NDL2m67zO.cs .Net Code: recg

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_00F28940 4_2_00F28940
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_00F28C52 4_2_00F28C52
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_00F274C3 4_2_00F274C3
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_00F289E1 4_2_00F289E1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_00F271A0 4_2_00F271A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_00F2750A 4_2_00F2750A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_00F27989 4_2_00F27989
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_02A528A7 4_2_02A528A7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_02A528B8 4_2_02A528B8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_02A50830 4_2_02A50830
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_02A51EF7 4_2_02A51EF7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_02A51F08 4_2_02A51F08
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_02A52CE1 4_2_02A52CE1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_02A52CF0 4_2_02A52CF0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_02A58C18 4_2_02A58C18
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_02A50C68 4_2_02A50C68
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_085AB668 4_2_085AB668
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_085AB658 4_2_085AB658
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_0159E6A9 18_2_0159E6A9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_0159D9C0 18_2_0159D9C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_01594A98 18_2_01594A98
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_01593E80 18_2_01593E80
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_015941C8 18_2_015941C8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_06E465E0 18_2_06E465E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_06E45580 18_2_06E45580
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_06E47D78 18_2_06E47D78
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_06E4B21F 18_2_06E4B21F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_06E43038 18_2_06E43038
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_06E4C178 18_2_06E4C178
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_06E47698 18_2_06E47698
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_06E45CCF 18_2_06E45CCF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_06E4059B 18_2_06E4059B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_06E4E3A0 18_2_06E4E3A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_06E42340 18_2_06E42340
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_06E4001F 18_2_06E4001F
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_02568940 19_2_02568940
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_02568C52 19_2_02568C52
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_025671A0 19_2_025671A0
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_0256740B 19_2_0256740B
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_025689E1 19_2_025689E1
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_025674C3 19_2_025674C3
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_0256750A 19_2_0256750A
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_02567989 19_2_02567989
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_02710830 19_2_02710830
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_027128B8 19_2_027128B8
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_027128A7 19_2_027128A7
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_02711EF7 19_2_02711EF7
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_02717F20 19_2_02717F20
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_02711F08 19_2_02711F08
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_02710C68 19_2_02710C68
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_02712CF0 19_2_02712CF0
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_02712CE1 19_2_02712CE1
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_013EA190 24_2_013EA190
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_013EE6B8 24_2_013EE6B8
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_013EA958 24_2_013EA958
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_013E4A98 24_2_013E4A98
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_013E3E80 24_2_013E3E80
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_013E41C8 24_2_013E41C8
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_06B25580 24_2_06B25580
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_06B265E0 24_2_06B265E0
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_06B27D78 24_2_06B27D78
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_06B2B230 24_2_06B2B230
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_06B22350 24_2_06B22350
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_06B2C178 24_2_06B2C178
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_06B27698 24_2_06B27698
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_06B25CE0 24_2_06B25CE0
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_06B2E3A0 24_2_06B2E3A0
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_06B20006 24_2_06B20006
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_06B20040 24_2_06B20040
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_06B20324 24_2_06B20324
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1339585942.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002A_133.exe
Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1347383930.0000000008503000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs LisectAVT_2403002A_133.exe
Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1347383930.0000000008503000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename#f vs LisectAVT_2403002A_133.exe
Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1347383930.0000000008503000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamerTnN.exe4 vs LisectAVT_2403002A_133.exe
Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1347383930.00000000084A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameschtasks.exej% vs LisectAVT_2403002A_133.exe
Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamed820472a-a748-4fee-95a9-5eaffb307398.exe4 vs LisectAVT_2403002A_133.exe
Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_133.exe
Source: LisectAVT_2403002A_133.exe, 00000004.00000000.1270481428.00000000008C8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamerTnN.exe4 vs LisectAVT_2403002A_133.exe
Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1343518581.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamed820472a-a748-4fee-95a9-5eaffb307398.exe4 vs LisectAVT_2403002A_133.exe
Source: LisectAVT_2403002A_133.exe, 00000004.00000002.1347867209.0000000008740000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_133.exe
Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2523232143.00000000012F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs LisectAVT_2403002A_133.exe
Source: LisectAVT_2403002A_133.exe Binary or memory string: OriginalFilenamerTnN.exe4 vs LisectAVT_2403002A_133.exe
Uses 32bit PE files
Source: LisectAVT_2403002A_133.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: LisectAVT_2403002A_133.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GlIToApjgGEL.exe.4.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, OTWUo99bfyR.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, OTWUo99bfyR.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, Ui9qhZiA7.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, Ui9qhZiA7.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, BqMB7yHhrXg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, BqMB7yHhrXg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, BqMB7yHhrXg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, BqMB7yHhrXg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, oaIYYEGbjWh1PKKUmq.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, XSiZdC5Wk4sX5ZXI0h.cs Security API names: _0020.SetAccessControl
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, XSiZdC5Wk4sX5ZXI0h.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, XSiZdC5Wk4sX5ZXI0h.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@21/15@2/2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe File created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Mutant created: \Sessions\1\BaseNamedObjects\eQQweYsDUhlpl
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2172:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_03
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe File created: C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp Jump to behavior
Source: LisectAVT_2403002A_133.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: LisectAVT_2403002A_133.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe File read: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpE6EF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpE6EF.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: LisectAVT_2403002A_133.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: LisectAVT_2403002A_133.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 4.2.LisectAVT_2403002A_133.exe.2cf4a18.1.raw.unpack, wehuuoKhMKMbnQu72K.cs .Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
Source: 4.2.LisectAVT_2403002A_133.exe.6de0000.5.raw.unpack, wehuuoKhMKMbnQu72K.cs .Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, XSiZdC5Wk4sX5ZXI0h.cs .Net Code: QycL3A5n98 System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 4_2_00F2EA88 push eax; iretd 4_2_00F2EA89
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_0159A1DB pushfd ; retf 0565h 18_2_0159A6B1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_01590C45 push ebx; retf 18_2_01590C52
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Code function: 18_2_01590C6D push edi; retf 18_2_01590C7A
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_0256EA88 push eax; iretd 19_2_0256EA89
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_025697B0 push 14027692h; iretd 19_2_0256987D
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 19_2_02714821 push esi; retf 19_2_02714822
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_013E0C6D push edi; retf 24_2_013E0C7A
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_013E0C53 push ebx; retf 24_2_013E0C52
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Code function: 24_2_013E0C45 push ebx; retf 24_2_013E0C52
Source: LisectAVT_2403002A_133.exe Static PE information: section name: .text entropy: 7.956613403047499
Source: GlIToApjgGEL.exe.4.dr Static PE information: section name: .text entropy: 7.956613403047499
Source: 4.2.LisectAVT_2403002A_133.exe.2cf4a18.1.raw.unpack, kdFvaMFVPKs73pA7Ae.cs High entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
Source: 4.2.LisectAVT_2403002A_133.exe.2cf4a18.1.raw.unpack, DD.cs High entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
Source: 4.2.LisectAVT_2403002A_133.exe.2cf4a18.1.raw.unpack, ihWImL1h2qjtIkVYDh.cs High entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
Source: 4.2.LisectAVT_2403002A_133.exe.2cf4a18.1.raw.unpack, oImfMJtvGUo8fMQNBQ.cs High entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
Source: 4.2.LisectAVT_2403002A_133.exe.2cf4a18.1.raw.unpack, wehuuoKhMKMbnQu72K.cs High entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
Source: 4.2.LisectAVT_2403002A_133.exe.6de0000.5.raw.unpack, kdFvaMFVPKs73pA7Ae.cs High entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
Source: 4.2.LisectAVT_2403002A_133.exe.6de0000.5.raw.unpack, DD.cs High entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
Source: 4.2.LisectAVT_2403002A_133.exe.6de0000.5.raw.unpack, ihWImL1h2qjtIkVYDh.cs High entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
Source: 4.2.LisectAVT_2403002A_133.exe.6de0000.5.raw.unpack, oImfMJtvGUo8fMQNBQ.cs High entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
Source: 4.2.LisectAVT_2403002A_133.exe.6de0000.5.raw.unpack, wehuuoKhMKMbnQu72K.cs High entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, Q0vpVvSH5GMpEnUVq3.cs High entropy of concatenated method names: 'W8jKiuJ7LD', 'Fq2KybPnnI', 'yyZKprXC5j', 'J0eKYNvEee', 'dxlKcbcXSV', 'gUAKA5c97D', 'b91K5bQsn2', 'iHMKDgc52x', 'caDK0Eaq4t', 'XDTKkUKhZ3'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, d7eZWkjobMx1kktcNq.cs High entropy of concatenated method names: 'twycWJ3oQk', 'AAJcyGu958', 'fG2cYeUEHI', 'wVkcAQBTiv', 'NLWc5NdjpT', 'gk5Ym4VkB6', 'RMTYeqbVsI', 'isPY4Ki7VD', 'dyXYShLbob', 'kZIYTYBwnp'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, l1ZjH3FqBk7m3jAhOp.cs High entropy of concatenated method names: 'sN3trtrr6q', 'qIKtNenhld', 'rOptLebBA0', 'oZOtiLPsD9', 'SMxtysfFmr', 'S3StYPpOFk', 'qihtc96oQ8', 'zUHK4fuet9', 't7EKSHgFAd', 'LOQKTa5cGy'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, UABv9PrxcswaCKu77d9.cs High entropy of concatenated method names: 'VCktZUcDgy', 'XxZtChhtHs', 'biEt3DpJul', 'koCtHwVaSl', 'AvdtEwZxfD', 'Ki8tvnmSis', 'o2AtbBSmtI', 'pDDtG4GKAK', 'n1atP5e10W', 'umutaqNo32'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, WLQyxlrNPWgvdrMdKHe.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yN9sR2g6ZQ', 'LrRsuXPuIy', 'QdusJJe3oI', 'fkCs9ETYNZ', 'hrmsmtANhw', 'fQKse3ySm2', 'hxos4XaZib'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, p681EQzv8P3Gf2coDi.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hUttwT2Wyj', 'AbBt8P46Xn', 'C6ut2rmo9I', 'zgWtOLaa1g', 'kDvtKBKvEh', 'qpSttVFynO', 'xDLtso2ADM'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, oaIYYEGbjWh1PKKUmq.cs High entropy of concatenated method names: 'HBAyRmM8LY', 'wUVyuuSoPX', 'O3TyJ3i7nB', 'Lmny99S1yI', 'uyEymgt9Vu', 'QXKye9nSnc', 'nqUy4v21Bp', 'gufySu0yY8', 'y79yTxX1kh', 'UE3yFOwn82'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, VVbDJ6g1mjpxbiLeaT.cs High entropy of concatenated method names: 'ysD3DTRk7', 'hUZHDB3PG', 'h9pvn1QkC', 'l45bclgr4', 'K3QPvLjJR', 'IPla6lFJh', 'zofZPBp8GNxAx3hw8P', 'i9d3Rvfc3tFMoGmyon', 'ugUKk43IB', 'avWsWpUdG'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, hF761QeXojqrtkst5L.cs High entropy of concatenated method names: 'N4dOS7gQyy', 'affOFeHot3', 'BWiKxW4xB7', 'najKrpEQue', 'y2SOq1Uya7', 'r7lOBwNXlx', 'cxOOVemW8x', 'PAjORTSLBR', 'vdIOuYM5sy', 'rm0OJWpEYB'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, SEVygsUpenY03rhyRN.cs High entropy of concatenated method names: 'SksAZILZBx', 'rbcAC5YIFx', 'omwA3s3EAh', 'TgPAHovWkW', 'AOBAEWIHkP', 'nGdAvHF9PJ', 'cTPAb8hcdd', 'WQRAGrdVIP', 'sBLAPn5vqv', 'QklAagQUFR'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, XSiZdC5Wk4sX5ZXI0h.cs High entropy of concatenated method names: 'NLONWQeTVU', 'OhYNiXIEhM', 'VbSNy5nlVf', 'iGYNpmGC6P', 'h6bNYJldjS', 'N5nNcJyHYW', 'sWBNA0xPIX', 'DCkN5fPFVW', 'TdFNDUZZwB', 'PcaN0fGwux'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, ixE87fVco3u39tVeDd.cs High entropy of concatenated method names: 'cTnwGk9lm5', 'mHnwP5T7f3', 'OwXwjkspvF', 'JJAwdQnbdS', 'A9RwhVN2f4', 'rm7woOa0HQ', 'jRMwfSYGaI', 'DvjwXuIUkR', 'WJhw1SmxoI', 'csNwqPbMeY'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, POksTqLv23gIDSTmtv.cs High entropy of concatenated method names: 'JO8rAaIYYE', 'DjWr5h1PKK', 'oCQr04Qi43', 'YqNrkruhUm', 'LKWr8ncL7e', 'yWkr2obMx1', 'wvTnhcPZarpk054mmR', 'UMtRynZWACdxwUrZhC', 'T76rrqcjXX', 'PmqrNvnrcm'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, FFUGolJopXrievvJ4c.cs High entropy of concatenated method names: 'ToString', 'iUW2qjhSAh', 'rd02dgurYc', 'chY2INAa3Z', 'PKl2hXQBeT', 'hgE2oM2jh3', 'gLl2M32bN8', 'Ets2ffjKh1', 'hSO2XfObqu', 'BTY2U9RZDE'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, YlGc4ZTI0YWd3fQsXx.cs High entropy of concatenated method names: 'F0qKjGnNZn', 'kIvKds7BwO', 'eR4KINfIG1', 'OeUKhEqg0N', 'Du5KRh7P5p', 'AyXKo8IikI', 'Next', 'Next', 'Next', 'NextBytes'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, YjEy6M9c2BTBmsjLfO.cs High entropy of concatenated method names: 'E7yO0KkHnM', 'nN4Ok0rb2c', 'ToString', 'OTGOiqB70W', 'VFcOyeYglF', 'bwgOpHRFcL', 'sVbOYUZVpJ', 'lkTOcxvxW6', 'aRgOAbHdNb', 'SbqO5QFGTl'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, iBZpNwPCQ4Qi43TqNr.cs High entropy of concatenated method names: 'x81pH1NjsS', 'qv6pvIt2pO', 'R4ppGmXiq9', 'rUepPVPj45', 'rR9p8wGSpd', 'xAwp2Fuitb', 'LfNpOUwoj6', 'iJnpKC94p9', 'u3bptiWJqZ', 'iDTps6LYTG'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, RhUmNua4HbfKXXKWnc.cs High entropy of concatenated method names: 'S7GYENfHgW', 'QXOYbYkQV6', 'amIpIW9i1S', 'IUlphdWb6j', 'P6ApocAvIU', 'gnIpM8sVjj', 'aOVpfjotY4', 'ycOpXB6kmb', 'LNxpUCrROp', 'mIIp1R018y'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, AVK0tnygKddfqQqwFa.cs High entropy of concatenated method names: 'Dispose', 'rodrTt8uiY', 'n59gdxJVSq', 'KXm77IHRwJ', 'iV0rFvpVvH', 'kGMrzpEnUV', 'ProcessDialogKey', 'O3FgxlGc4Z', 'H0YgrWd3fQ', 'sXxggD1ZjH'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, aBA5C2rg4OGBwlweuHD.cs High entropy of concatenated method names: 'torsZh01GT', 'PX9sCfefiK', 'spus3OF7h8', 'dJcXFUuHbYVfWKL0Mv3', 'g7c2DQuTFTb0l3JF2TZ', 'K5vX88uL9xU5AAKHIna', 'UeMxN6uPTQmh0wkDl91'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, e1U0wlhLCh8W4Il2BO.cs High entropy of concatenated method names: 'qAHclIXBfb', 'DtycZtL2ZP', 'q4wc3EYCm8', 'R3QcHHOxTn', 'PnfcvuZN4p', 'vVHcbK8kem', 'TkdcP9Dbkp', 'SAbcapIjue', 'ppXa5yAmQMviloOFm7r', 'WIi36EAJI6oFlSeU7I9'
Source: 4.2.LisectAVT_2403002A_133.exe.40a5ac0.4.raw.unpack, aGt5rhfGQ5TrNgoLpn.cs High entropy of concatenated method names: 'BouAifZsaZ', 'AKLApVsjhc', 'UggAcG4BpF', 'WybcFqUq3A', 'M6Zcz1PGsD', 'rNcAxccuDL', 'aE8Arj7j0Z', 'rf0Ag2pDSp', 'lmZANvNws8', 'Bv6ALX9ASL'
Drops PE files
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe File created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: GlIToApjgGEL.exe PID: 7472, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Memory allocated: F20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Memory allocated: 2CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Memory allocated: 2A00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Memory allocated: 87C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Memory allocated: 97C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Memory allocated: 9AB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Memory allocated: AAB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Memory allocated: 1590000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Memory allocated: 3130000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Memory allocated: 5130000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Memory allocated: 2520000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Memory allocated: 27A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Memory allocated: 26C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Memory allocated: 82E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Memory allocated: 92E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Memory allocated: 95D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Memory allocated: A5D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Memory allocated: 1150000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Memory allocated: 3000000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Memory allocated: 2E40000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6885 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6387 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Window / User API: threadDelayed 2420 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Window / User API: threadDelayed 7428 Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Window / User API: threadDelayed 6833
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Window / User API: threadDelayed 3020
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 4532 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188 Thread sleep count: 6885 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7388 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7364 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -29514790517935264s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7620 Thread sleep count: 2420 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -99839s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -99732s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -99625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -99516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7620 Thread sleep count: 7428 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -99393s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -99266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -99156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -99046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -98938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -98813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -98703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -98594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -98469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -98359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -98250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -98141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -98031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -97922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -97812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -97703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -97594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -97469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -97357s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -97250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -97141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -97031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -96922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -96812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -96703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -96594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -96484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -96375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -96266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -96141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -96016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -95906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -95797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -95688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -95563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -95438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -95324s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -95219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -95094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -94984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -94875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -94766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -94656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -94547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe TID: 7596 Thread sleep time: -94438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7512 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7836 Thread sleep count: 6833 > 30
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7836 Thread sleep count: 3020 > 30
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -99659s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -99531s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -99421s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -99312s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -99203s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -99084s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -98847s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -98718s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -98608s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -98499s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -98390s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -98281s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -98171s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -98062s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -97952s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -97843s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -97733s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -97624s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -97515s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -97405s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -97296s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -97187s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -97075s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -96968s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -96858s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -96749s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -96640s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -96530s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -96421s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -96312s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -96202s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -96093s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -95984s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -95874s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -95765s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -95655s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -95546s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -95437s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -95328s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -95218s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -95109s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -94999s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -94890s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -94780s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -94671s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -94562s >= -30000s
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe TID: 7832 Thread sleep time: -94437s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 99839 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 99732 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 99625 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 99516 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 99393 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 99266 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 99156 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 99046 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 98938 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 98813 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 98703 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 98594 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 98469 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 98359 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 98250 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 98141 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 98031 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 97922 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 97812 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 97703 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 97594 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 97469 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 97357 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 97250 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 97141 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 97031 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 96922 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 96812 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 96703 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 96594 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 96484 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 96375 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 96266 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 96141 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 96016 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 95906 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 95797 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 95688 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 95563 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 95438 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 95324 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 95219 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 95094 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 94984 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 94875 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 94766 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 94656 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 94547 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Thread delayed: delay time: 94438 Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 99659
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 99531
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 99421
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 99312
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 99203
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 99084
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 98847
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 98718
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 98608
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 98499
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 98390
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 98281
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 98171
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 98062
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 97952
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 97843
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 97733
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 97624
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 97515
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 97405
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 97296
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 97187
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 97075
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 96968
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 96858
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 96749
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 96640
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 96530
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 96421
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 96312
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 96202
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 96093
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 95984
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 95874
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 95765
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 95655
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 95546
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 95437
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 95328
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 95218
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 95109
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 94999
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 94890
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 94780
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 94671
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 94562
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Thread delayed: delay time: 94437
Source: GlIToApjgGEL.exe, 00000013.00000002.1407798826.00000000080C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Dev
Source: GlIToApjgGEL.exe, 00000013.00000002.1407798826.0000000008126000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: LisectAVT_2403002A_133.exe, 00000012.00000002.2527569170.0000000001711000.00000004.00000020.00020000.00000000.sdmp, GlIToApjgGEL.exe, 00000018.00000002.2539536816.00000000063CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Memory written: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Memory written: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpCD6C.tmp" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe "C:\Users\user\Desktop\LisectAVT_2403002A_133.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlIToApjgGEL" /XML "C:\Users\user\AppData\Local\Temp\tmpE6EF.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Process created: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe "C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Queries volume information: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Queries volume information: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.2528847260.000000000307C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2527987214.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2527987214.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2528847260.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1344574120.0000000004921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2522255682.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1403560028.0000000003AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_133.exe PID: 1088, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_133.exe PID: 7320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GlIToApjgGEL.exe PID: 7472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GlIToApjgGEL.exe PID: 7736, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_133.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\GlIToApjgGEL.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.2527987214.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2528847260.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1344574120.0000000004921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2522255682.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1403560028.0000000003AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_133.exe PID: 1088, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_133.exe PID: 7320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GlIToApjgGEL.exe PID: 7472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GlIToApjgGEL.exe PID: 7736, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.GlIToApjgGEL.exe.3b1c1e0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.GlIToApjgGEL.exe.3ae17c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.LisectAVT_2403002A_133.exe.403afe8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.LisectAVT_2403002A_133.exe.40005c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.2528847260.000000000307C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2527987214.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2527987214.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2528847260.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1344574120.0000000004921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2522255682.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1344574120.0000000004000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1403560028.0000000003AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_133.exe PID: 1088, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_133.exe PID: 7320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GlIToApjgGEL.exe PID: 7472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GlIToApjgGEL.exe PID: 7736, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482509 Sample: LisectAVT_2403002A_133.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 48 mail.kabeercommodities.com 2->48 50 kabeercommodities.com 2->50 52 api.ipify.org 2->52 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 9 other signatures 2->64 8 LisectAVT_2403002A_133.exe 7 2->8         started        12 GlIToApjgGEL.exe 5 2->12         started        signatures3 process4 file5 40 C:\Users\user\AppData\...behaviorgraphlIToApjgGEL.exe, PE32 8->40 dropped 42 C:\Users\...behaviorgraphlIToApjgGEL.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmpCD6C.tmp, XML 8->44 dropped 46 C:\Users\...\LisectAVT_2403002A_133.exe.log, ASCII 8->46 dropped 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->66 68 Uses schtasks.exe or at.exe to add and modify task schedules 8->68 70 Adds a directory exclusion to Windows Defender 8->70 14 LisectAVT_2403002A_133.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        72 Antivirus detection for dropped file 12->72 74 Machine Learning detection for dropped file 12->74 76 Injects a PE file into a foreign processes 12->76 24 GlIToApjgGEL.exe 12->24         started        26 schtasks.exe 12->26         started        28 GlIToApjgGEL.exe 12->28         started        signatures6 process7 dnsIp8 54 kabeercommodities.com 45.91.139.1, 49706, 49708, 587 MEER-ASmeerfarbigGmbHCoKGDE Lithuania 14->54 56 api.ipify.org 172.67.74.152, 443, 49704, 49707 CLOUDFLARENETUS United States 14->56 78 Loading BitLocker PowerShell Module 18->78 30 conhost.exe 18->30         started        32 WmiPrvSE.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->80 82 Tries to steal Mail credentials (via file / registry access) 24->82 84 Tries to harvest and steal ftp login credentials 24->84 86 Tries to harvest and steal browser information (history, passwords, etc) 24->86 38 conhost.exe 26->38         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.91.139.1
 kabeercommodities.com Lithuania
34549 MEER-ASmeerfarbigGmbHCoKGDE true
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
kabeercommodities.com 45.91.139.1 true
api.ipify.org 172.67.74.152 true
mail.kabeercommodities.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown