Edit tour

Windows Analysis Report
LisectAVT_2403002A_326.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_326.exe
Analysis ID:	1482336
MD5:	14e1e4337af72bdba22538a1bc405427
SHA1:	9bacc38599dab1dcf1216d24c2816a6f016ce04a
SHA256:	339ea64849ebf88f3c2f7195c572ff95bf71099eed82cee1af3f1d2b2b591c9e
Tags:	exe
Infos:

Detection

Go Injector, Mars Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Go Injector

Yara detected Mars stealer

Yara detected Stealc

Yara detected Vidar stealer

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking locale)

Injects a PE file into a foreign processes

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_326.exe (PID: 6992 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_326.exe" MD5: 14E1E4337AF72BDBA22538A1BC405427)

BitLockerToGo.exe (PID: 7148 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://193.143.1.226/129edec4272dc2c8.php", "Botnet": "newpakistan"}

Threatname: Vidar

{"C2 url": "http://193.143.1.226/129edec4272dc2c8.php"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
LisectAVT_2403002A_326.exe	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1889291210.000000C000B3A000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.1889291210.000000C000AA2000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1889291210.000000C000AA2000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.1889291210.000000C000980000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1889291210.000000C000980000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.1889291210.000000C000AEE000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.1889291210.000000C000A7C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1889291210.000000C000A7C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.1889998486.000000C000CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1889998486.000000C000CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.1889291210.000000C000BC0000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.1889998486.000000C000C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1889998486.000000C000C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000003.1871312660.00000225FA770000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000003.1871312660.00000225FA770000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.1889291210.000000C000AC8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1889291210.000000C000AC8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000003.1805039527.00000225FA740000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000003.1805039527.00000225FA740000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.1894092597.00007FF6ABCF7000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
00000000.00000000.1703746830.00007FF6ABCF7000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
Process Memory Space: LisectAVT_2403002A_326.exe PID: 6992	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.3.LisectAVT_2403002A_326.exe.225fa740000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.3.LisectAVT_2403002A_326.exe.225fa740000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000a56000.4.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000a56000.4.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.3.LisectAVT_2403002A_326.exe.225fa740000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.3.LisectAVT_2403002A_326.exe.225fa740000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.3.LisectAVT_2403002A_326.exe.225fa770000.3.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.3.LisectAVT_2403002A_326.exe.225fa770000.3.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.3.LisectAVT_2403002A_326.exe.225fa770000.3.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.3.LisectAVT_2403002A_326.exe.225fa770000.3.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
1.2.BitLockerToGo.exe.3050000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.BitLockerToGo.exe.3050000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000a56000.4.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.BitLockerToGo.exe.3050000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.BitLockerToGo.exe.3050000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000cca000.9.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000cca000.9.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000cca000.9.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000cca000.9.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000a56000.4.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
Click to see the 35 entries

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T21:37:24.758420+0200
SID:	2022930
Source Port:	443
Destination Port:	64219
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T21:36:55.338466+0200
SID:	2022930
Source Port:	443
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_326.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://193.143.1.226/129edec4272dc2c8.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1889291210.000000C000AA2000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://193.143.1.226/129edec4272dc2c8.php"}
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://193.143.1.226/129edec4272dc2c8.php", "Botnet": "newpakistan"}

Sample uses string decryption to hide its real strings

Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: 10
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: 04
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: 20
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: 24
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetProcAddress
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: LoadLibraryA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: lstrcatA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: OpenEventA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CreateEventA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CloseHandle
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Sleep
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: VirtualFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetSystemInfo
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: VirtualAlloc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: HeapAlloc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetComputerNameA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: lstrcpyA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetProcessHeap
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetCurrentProcess
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: lstrlenA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: ExitProcess
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetSystemTime
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: gdi32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: user32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: crypt32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: ntdll.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetUserNameA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CreateDCA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetDeviceCaps
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: ReleaseDC
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: sscanf
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: VMwareVMware
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: HAL9TH
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: JohnDoe
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: DISPLAY
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: http://193.143.1.226
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: /129edec4272dc2c8.php
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: /cdb52cf952e86d4b/
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: newpakistan
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetFileAttributesA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GlobalLock
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: HeapFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetFileSize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GlobalSize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: IsWow64Process
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Process32Next
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetLocalTime
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: FreeLibrary
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Process32First
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: DeleteFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: FindNextFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: LocalFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: FindClose
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: LocalAlloc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetFileSizeEx
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: ReadFile
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SetFilePointer
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: WriteFile
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CreateFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: FindFirstFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CopyFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: VirtualProtect
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetLastError
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: lstrcpynA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GlobalFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GlobalAlloc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: OpenProcess
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: TerminateProcess
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: gdiplus.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: ole32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: bcrypt.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: wininet.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: shell32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: psapi.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SelectObject
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: BitBlt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: DeleteObject
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GdiplusStartup
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GdiplusShutdown
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GdipDisposeImage
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GdipFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CoUninitialize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CoInitialize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CoCreateInstance
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: BCryptDecrypt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: BCryptSetProperty
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetWindowRect
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetDesktopWindow
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetDC
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CloseWindow
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: wsprintfA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CharToOemW
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: wsprintfW
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: RegQueryValueExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: RegCloseKey
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: RegEnumValueA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CryptUnprotectData
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: ShellExecuteExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: InternetConnectA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: InternetCloseHandle
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: InternetOpenA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: HttpSendRequestA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: InternetReadFile
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: StrCmpCA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: StrStrA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: StrCmpCW
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: PathMatchSpecA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: RmStartSession
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: RmRegisterResources
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: RmGetList
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: RmEndSession
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: sqlite3_open
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: sqlite3_step
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: sqlite3_column_text
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: sqlite3_finalize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: sqlite3_close
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: encrypted_key
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: PATH
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: NSS_Init
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: NSS_Shutdown
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: PK11_Authenticate
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: C:\ProgramData\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: browser:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: profile:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: url:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: login:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: password:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Opera
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: OperaGX
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Network
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: cookies
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: .txt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: TRUE
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: FALSE
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: autofill
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: history
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: cc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: name:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: month:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: year:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: card:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Cookies
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Login Data
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Web Data
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: History
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: logins.json
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: formSubmitURL
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: usernameField
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: encryptedUsername
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: encryptedPassword
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: guid
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: cookies.sqlite
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: formhistory.sqlite
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: places.sqlite
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: plugins
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Local Extension Settings
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Sync Extension Settings
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: IndexedDB
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Opera Stable
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Opera GX Stable
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CURRENT
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: chrome-extension_
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Local State
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: profiles.ini
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: chrome
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: opera
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: firefox
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: wallets
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: ProductName
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: x32
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: x64
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: ProcessorNameString
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: DisplayName
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: DisplayVersion
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Network Info:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - IP: IP?
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - Country: ISO?
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: System Summary:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - HWID:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - OS:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - Architecture:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - UserName:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - Computer Name:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - Local Time:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - UTC:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - Language:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - Keyboards:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - Laptop:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - Running Path:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - CPU:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - Threads:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - Cores:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - RAM:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - Display Resolution:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: - GPU:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: User Agents:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Installed Apps:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: All Users:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Current User:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Process List:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: system_info.txt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: freebl3.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: mozglue.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: msvcp140.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: nss3.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: softokn3.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: vcruntime140.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: \Temp\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: .exe
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: runas
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: open
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: /c start
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: %DESKTOP%
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: %APPDATA%
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: %USERPROFILE%
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: %RECENT%
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: *.lnk
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: files
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: \discord\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: key_datas
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: map*
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Telegram
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Tox
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: *.tox
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: *.ini
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Password
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: 00000001
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: 00000002
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: 00000003
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: 00000004
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Pidgin
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: \.purple\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: accounts.xml
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: token:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SteamPath
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: \config\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: ssfn*
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: config.vdf
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: loginusers.vdf
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: \Steam\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: sqlite3.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: browsers
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: done
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: soft
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: https
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: POST
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: HTTP/1.1
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: hwid
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: build
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: token
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: file_name
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: file
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: message
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: screenshot.jpg
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetProcAddress
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: LoadLibraryA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: lstrcatA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: OpenEventA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CreateEventA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CloseHandle
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Sleep
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: VirtualFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetSystemInfo
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: VirtualAlloc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: HeapAlloc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetComputerNameA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: lstrcpyA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetProcessHeap
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetCurrentProcess
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: lstrlenA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: ExitProcess
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetSystemTime
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: gdi32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: user32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: crypt32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: ntdll.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetUserNameA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CreateDCA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetDeviceCaps
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: ReleaseDC
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: sscanf
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: VMwareVMware
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: HAL9TH
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: JohnDoe
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: DISPLAY
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: http://193.143.1.226
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: /129edec4272dc2c8.php
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: /cdb52cf952e86d4b/
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: newpakistan
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetFileAttributesA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GlobalLock
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: HeapFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetFileSize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GlobalSize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: IsWow64Process
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Process32Next
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetLocalTime
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: FreeLibrary
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: Process32First
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: DeleteFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: FindNextFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: LocalFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: FindClose
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: LocalAlloc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetFileSizeEx
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: ReadFile
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SetFilePointer
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: WriteFile
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CreateFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: FindFirstFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CopyFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: VirtualProtect
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetLastError
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: lstrcpynA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GlobalFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GlobalAlloc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: OpenProcess
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: TerminateProcess
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: gdiplus.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: ole32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: bcrypt.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: wininet.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: shell32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: psapi.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SelectObject
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: BitBlt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: DeleteObject
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GdiplusStartup
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GdiplusShutdown
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GdipDisposeImage
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GdipFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CoUninitialize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CoInitialize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CoCreateInstance
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: BCryptDecrypt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: BCryptSetProperty
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetWindowRect
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetDesktopWindow
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetDC
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CloseWindow
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: wsprintfA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CharToOemW
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: wsprintfW
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: RegQueryValueExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: RegCloseKey
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: RegEnumValueA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: CryptUnprotectData
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: ShellExecuteExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: InternetConnectA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: InternetCloseHandle
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: InternetOpenA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: HttpSendRequestA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: InternetReadFile
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: StrCmpCA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: StrStrA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: StrCmpCW
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: PathMatchSpecA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack	String decryptor: GetModuleFileNameExA

Source: LisectAVT_2403002A_326.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: LisectAVT_2403002A_326.exe, LisectAVT_2403002A_326.exe, 00000000.00000003.1860143166.00000225FA9F0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_326.exe, 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_326.exe, 00000000.00000002.1889998486.000000C000D6F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: LisectAVT_2403002A_326.exe, 00000000.00000003.1860143166.00000225FA9F0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_326.exe, 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_326.exe, 00000000.00000002.1889998486.000000C000D6F000.00000004.00001000.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://193.143.1.226/129edec4272dc2c8.php
Source: Malware configuration extractor	URLs: http://193.143.1.226/129edec4272dc2c8.php

Source: LisectAVT_2403002A_326.exe	String found in binary or memory: http://.css
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: http://.jpg
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://earth.google.com/kml/2.0
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://earth.google.com/kml/2.1
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://earth.google.com/kml/2.2
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: http://html4/loose.dtd
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opengis.net/gml
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opengis.net/gml/3.2
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opengis.net/gml/3.3/exr
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opengis.net/kml/2.2
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: http://www.topografix.com/GPX/1/1
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: https://api.loganalytics.iohttps://api.loganalytics.ushttps://datalake.azure.net/https://graph.micro
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: https://auth.docker.com/
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: https://batch.cloudapi.de/https://gallery.azure.com/https://graph.cloudapi.de/https://graph.windows.
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: https://cosmos.azure.comhttps://vault.azure.net/iam.us-gov.amazonaws.comidna:
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: https://database.chinacloudapi.cn/https://gallery.usgovcloudapi.net/https://login.microsoftonline.co
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: https://github.com/uber-go/dig/issues/new
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: https://manage.chinacloudapi.com/publishsettings/indexhttps://manage.microsoftazure.de/publishsettin
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: https://manage.windowsazure.com/publishsettings/indexillegal
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: https://manage.windowsazure.us/publishsettings/indexinternal
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: https://onsi.github.io/gomega/#adjusting-output
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: https://onsi.github.io/gomega/#eventually
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: https://ossrdbms-aad.database.chinacloudapi.cningest.timestream-fips.us-east-1.amazonaws.comingest.t
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: https://vault.azure.cn/https://vault.azure.netimage/x-portable-anymapimage/x-portable-bitmapimage/x-
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: https://vault.azure.cniam-fips.amazonaws.comidna:

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1889291210.000000C000B3A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1889291210.000000C000AEE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1889291210.000000C000BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000B961A0	0_2_000000C000B961A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000B9F992	0_2_000000C000B9F992
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000B978C0	0_2_000000C000B978C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000B91500	0_2_000000C000B91500
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000B9F1DA	0_2_000000C000B9F1DA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000B9F60E	0_2_000000C000B9F60E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000B9FBB9	0_2_000000C000B9FBB9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000B9F33B	0_2_000000C000B9F33B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000B9F731	0_2_000000C000B9F731
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000B96710	0_2_000000C000B96710
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000B86C7E	0_2_000000C000B86C7E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000B90490	0_2_000000C000B90490
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000B9F489	0_2_000000C000B9F489
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000B97FE0	0_2_000000C000B97FE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D2F992	0_2_000000C000D2F992
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D261A0	0_2_000000C000D261A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D21500	0_2_000000C000D21500
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D278C0	0_2_000000C000D278C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D2F60E	0_2_000000C000D2F60E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D2F1DA	0_2_000000C000D2F1DA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D2FBB9	0_2_000000C000D2FBB9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D26710	0_2_000000C000D26710
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D2F731	0_2_000000C000D2F731
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D2F33B	0_2_000000C000D2F33B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D20490	0_2_000000C000D20490
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D2F489	0_2_000000C000D2F489
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D16C7E	0_2_000000C000D16C7E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D27FE0	0_2_000000C000D27FE0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: String function: 030543B0 appears 316 times

Source: LisectAVT_2403002A_326.exe

Static PE information: Number of sections : 12 > 10

Source: LisectAVT_2403002A_326.exe	Binary or memory string: OriginalFilename vs LisectAVT_2403002A_326.exe
Source: LisectAVT_2403002A_326.exe, 00000000.00000000.1705218440.00007FF6AC316000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAlkom Engineering-Setup.exeP0 vs LisectAVT_2403002A_326.exe
Source: LisectAVT_2403002A_326.exe, 00000000.00000003.1860143166.00000225FA9F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs LisectAVT_2403002A_326.exe
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs LisectAVT_2403002A_326.exe
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1889998486.000000C000D6F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs LisectAVT_2403002A_326.exe
Source: LisectAVT_2403002A_326.exe	Binary or memory string: OriginalFilenameAlkom Engineering-Setup.exeP0 vs LisectAVT_2403002A_326.exe

Source: 00000000.00000002.1889291210.000000C000B3A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1889291210.000000C000AEE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1889291210.000000C000BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: LisectAVT_2403002A_326.exe	Binary string: lande (la)NtSetSystemInformationNyiakeng_Puachue_HmongOccitan France (oc-FR)OleCreatePropertyFrameOromo Ethiopia (om-ET)Pakistan Standard TimeParaguay Standard TimePower PC little endianRegisterTypeLibForUserRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersRussian Russia (ru-RU)SafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSanskrit India (sa-IN)Sao Tome Standard TimeSesotho Sa Leboa (nso)SetupDiEnumDriverInfoWSetupDiGetClassDevsExWSomali Somalia (so-SO)Spanish Mexico (es-MX)Spanish Panama (es-PA)Svalbard and Jan MayenSwedish Sweden (sv-SE)SynchronizedAfterSuiteTARGET_TYPE_ENUM_ENTRYTLS_AES_128_GCM_SHA256TLS_AES_256_GCM_SHA384Tasmania Standard TimeTrailNotFoundExceptionTrainingCenterDatabaseTurkish Turkey (tr-TR)Unsupported Media TypeUnsupportedCertificateWSAAsyncGetProtoByNameWSAGetOverlappedResultWSALookupServiceBeginAWSALookupServiceBeginWWSCWriteNameSpaceOrderWaitForMultipleObjectsWrong unwind opcode %dX-Content-Type-OptionsXXX_InternalExtensionsYiddish World (yi-001)Yoruba Nigeria (yo-NG)[client-transport %p] [server-transport %p] "<internal error: %v>"\Device\NamedPipe\msys
Source: LisectAVT_2403002A_326.exe	Binary string: \Device\NamedPipe\cygwin

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@0/0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe

File created: C:\Users\Public\Libraries\ooabk.scif

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe

File opened: C:\Windows\system32\af1c4147b56a0f0b20189c52106c7d67a33808e591b520fdac5a8ab1a60a54f9AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: LisectAVT_2403002A_326.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LisectAVT_2403002A_326.exe	String found in binary or memory: google.golang.org/grpc@v1.62.1/internal/balancerload/load.go
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: O//9BNg/dpMnZW25KydO4wtVxWAIbho= depgithub.com/docker/docker-credential-helpersv0.7.0h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= depgithub.com/docker/go-connectionsv0.5.0h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= depgithub.com/edsrzf/mmap-gov1
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: net/addrselect.go
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: github.com/saferwall/pe@v1.4.8/loadconfig.go
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: depgithub.com/docker/docker-credential-helpersv0.7.0h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: [38;5;28m^(\d{6})?$^976\d{2}$^980\d{2}$^986\d{2}$^987\d{2}$^988\d{2}$^BBND 1ZZ$^FIQQ 1ZZ$^PCRN 1ZZ$^SIQQ 1ZZ$^TKCA 1ZZ$^[\p{L}]+$_DATERANGE_GTSVECTOR_INT4RANGE_INT8RANGE_OIDVECTOR_REFCURSOR_REGCONFIG_TIMESTAMP_TINTERVAL_TSTZRANGE_reserved1af-south-1ap-south-1ap-south-2apigatewayappstream2arg %d: %watomicand8audio/3gppaudio/aiffaudio/flacaudio/midiaudio/mpegaudio/waveaudio/webmavx512bf16avx512gfniavx512ifmaavx512vaesavx512vbmiavx512vnniaws-globalaws-sdk-goaws-us-govazurecr.cnazurecr.ioazurecr.usbackgroundbackprime;backsimeq;big5-hkscsbigotimes;blockType(blockquotebuffer(%p)byte rangec2s.ic.govcenterdot;checkmark;cleanroomscloudfrontcloudhsmv2cloudtrailcn-north-1codecommitcodedeploycomparablecomplex128complexes;comprehendconnectioncreatetempcreditcardcsshiftjisdark-greendate-localdebug calldefinitiondependencydeprecateddevicefarmdialstringdnsapi.dlldotsquare;downarrow;dwmapi.dllecho replyeu-north-1eu-south-1eu-south-2event/nextexecerrdotexitThreadexp masterfigcaptionfloat32nanfloat64nanfont/woff2formactionformmethodformtargetgb_2312-80getsockoptgo_packagegoroutine greengrassgroup = %qgrpc.Recv.grpc.Sent.gtecsfieldgtrapprox;gtreqless;gvertneqq;healthlakeheartsuit;http-equivhttp_proxyhz-gb-2312image/avifimage/heicimage/heifimage/jpegimage/tiffimage/webpimpossibleinput_typeinspector2instanceofinvalid IPinvalidptriso-8859-1iso-8859-2iso-8859-3iso-8859-4iso-8859-5iso-8859-6iso-8859-7iso-8859-8iso-8859-9iso-ir-100iso-ir-101iso-ir-109iso-ir-110iso-ir-126iso-ir-127iso-ir-138iso-ir-144iso-ir-148iso-ir-149iso-ir-157iso8859-10iso8859-11iso8859-13iso8859-14iso8859-15iso_8859-1iso_8859-2iso_8859-3iso_8859-4iso_8859-5iso_8859-6iso_8859-7iso_8859-8iso_8859-9keep-alivekeySplineskeysplineslabel=<%v>leftarrow;lesseqgtr;light-graylinux/mipslocal-addrlocalhost:ltecsfieldlvertneqq;mSpanInUseme-south-1mediagroupmediastoremodels.lexmonitoringmultipart-ncrypt.dllnetbsd/386netbsd/armngeqslant;nleqslant;notifyListnovalidatenparallel;nrpostgresnshortmid;nsubseteq;nsupseteq;numOctavesnumoctavesobjectpathone_outputoneof_declowner diedpathLengthpathlengthpick_firstpitchfork;portal.ssoppt/_rels/ppt/media/ppt/theme/printasciiprofInsertquicksightradiogrouprationals;res binderres masterresumptionroundrobinrune <nil>runelengthruntime: gs.state = s3-controlschedtracesemacquireset-cookiesetsockoptshort readskipping: slabinfo -socks bindspadesuit;spellcheckstackLargestartswithstream endstructonlysubseteqq;subsetneq;supportappsupseteqq;supsetneq;syntheticst.Kind == terminatedtext/plaintext/vcardtext/x-luatext/x-phptext/x-srttext/x-tcltextLengthtextlengththerefore;thinclienttime-localtracefree(tracegc()
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: .WithDeadline(.in-addr.arpa./log/filter.go/log/helper.go1907348632812595367431640625: extra text: <binary chunk><not Stringer>> closed by </ALREADY_EXISTSAccept-CharsetAfrikaans (af)Align 16-BytesAlign 32-BytesAlign 64-BytesAlign1024BytesAlign2048BytesAlign4096BytesAlign8192BytesAllemagne (l')Alsatian (gsw)American SamoaApplyFunction;Argentine (l')Australie (l')BLOCK_LENGTH_1BLOCK_LENGTH_2BadCertificateBermudes (les)BstrFromVectorBulgarian (bg)CET CompatibleCLICOLOR_FORCECertCloseStoreCherokee (chr)Chunk AcceptedChunked uploadCoInitializeExCoUninitializeComputerNameExContent-LengthControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCreateTypeLib2CryptGenRandomC
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: [0m[%04d]%s %-44s ^(9694[1-4])([ \-]\d{4})?$^([-+._a-zA-Z0-9]{1,32}\|.)^[-+]?[0-9]+(?:\.[0-9]+)?$^maxstringlength$(\d+)$$^minstringlength$(\d+)$$_html_template_attrescaper_html_template_htmlescaperaddress type not supportedaos.ap-northeast-1.api.awsaos.ap-northeast-2.api.awsaos.ap-northeast-3.api.awsaos.ap-southeast-1.api.awsaos.ap-southeast-2.api.awsaos.ap-southeast-3.api.awsaos.ap-southeast-4.api.awsapplication/vnd.adobe.xfdfapplication/vnd.ms-outlookapplication/x-ms-installerapplication/x-unix-archiveappmesh.af-south-1.api.awsappmesh.ap-south-1.api.awsappmesh.eu-north-1.api.awsappmesh.eu-south-1.api.awsappmesh.me-south-1.api.awsasn1: invalid UTF-8 stringautorest/adal/devicetoken:bad certificate hash valuebare " in non-quoted-fieldbase 128 integer too largebatch.{region}.{dnsSuffix}binary.Read: invalid type bytes <start>-<end>/<size>call from functioncannot marshal DNS messageccBalancerWrapper: closingce.us-east-1.amazonaws.comchacha20: counter overflowchacha20: wrong nonce sizecloudapp.microsoftazure.decloudapp.usgovcloudapi.netcontainer nesting too deepcorrupted semaphore ticketcriterion lacks equal signcryptobyte: internal errordatabase.usgovcloudapi.netdatazone.ap-east-1.api.awsdatazone.ca-west-1.api.awsdatazone.eu-west-1.api.awsdatazone.eu-west-2.api.awsdatazone.eu-west-3.api.awsdatazone.sa-east-1.api.awsdatazone.us-east-1.api.awsdatazone.us-east-2.api.awsdatazone.us-west-1.api.awsdatazone.us-west-2.api.awsduplicate pseudo-header %qduplicate stream initiatedeks-auth.ap-east-1.api.awseks-auth.ca-west-1.api.awseks-auth.eu-west-1.api.awseks-auth.eu-west-2.api.awseks-auth.eu-west-3.api.awseks-auth.sa-east-1.api.awseks-auth.us-east-1.api.awseks-auth.us-east-2.api.awseks-auth.us-west-1.api.awseks-auth.us-west-2.api.awsencountered a cycle via %sentersyscall inconsistent expected complex; found %sexpected integer; found %sfailed to find ConnectEx: forEachP: P did not run fnfound undefined tag handleframe_priority_zero_streamframe_windowupdate_bad_lenfreedefer with d.fn != nilglue.us-gov-east-1.api.awsglue.us-gov-west-1.api.awsgob: local interface type google.golang.org/genprotogoogle/protobuf/type.protogrpc-previous-rpc-attemptshexcolor\|rgb\|rgba\|hsl\|hslahttp2: Framer %p: wrote %vhttp2: invalid Host headerhttps://batch.cloudapi.de/https://gallery.azure.com/https://graph.cloudapi.de/https://graph.windows.net/https://storage.azure.com/id (%v) <= evictCount (%v)importexport.amazonaws.cominteger overflow on token invalid UTF-8 byte: 0x%02xinvalid argument to Int31ninvalid argument to Int63ninvalid character sequenceinvalid nil source messageinvalid port %q after hostinvalid request descriptorinvalid server name formatinvalid value; expected %slog: cannot create log: %vlz4: option not applicablelzma: dictCap out of rangemalformed HTTP status codemalformed chunked encodingmalformed grpc-timeout: %vmariadb.database.azure.commobile prefix solicitationmysql.database.cloudapi.dename not unique on networknegative idle mark workersnegative literal i
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: wan (Province de Chine)TrailAlreadyExistsExceptionTsonga South Africa (ts-ZA)UnauthorizedClientExceptionWELL_KNOWN_TYPE_UNSPECIFIEDX-Amz-Expected-Bucket-Owner^(?:[^%]\|%[0-9A-Fa-f]{2})*$^00[679]\d{2}([ \-]\d{4})?$^BC1[02-9AC-HJ-NP-Z]{7,76}$^\d{3}[- ]?\d{2}[- ]?\d{4}$^bc1[02-9ac-hj-np-z]{7,76}$_html_template_jsstrescaper_html_template_jsvalescaperaccess-control-allow-originaddress not a stack addressaddress of entry point is 0after object key:value pairapplication/gzip-compressedapplication/pkcs7-signatureapplication/x-7z-compressedapplication/x-installshieldathena.ca-central-1.api.awsathena.eu-central-1.api.awsathena.eu-central-2.api.awsathena.il-central-1.api.awsathena.me-central-1.api.awsbad data: undefined type %sber2der: Invalid BER formatber2der: input ber is emptybinary.Write: invalid type boringcrypto: not availablecan't index item of type %scan't invoke an untyped nilcan't slice item of type %scannot register a nil Codecchannel number out of rangecipher: incorrect length IVcodecatalyst.global.api.awscommunication error on sendconfig.{region}.{dnsSuffix}connection error: desc = %qcorrupt input: weights zerocould not find QPC syscallscould not find expected ':'cryptobyte: length overflowcurrent time %s is after %sdatazone.af-south-1.api.awsdatazone.ap-south-1.api.awsdatazone.ap-south-2.api.awsdatazone.eu-north-1.api.awsdatazone.eu-south-1.api.awsdatazone.eu-south-2.api.awsdatazone.me-south-1.api.awsdbus.Store: length mismatchdbus: authentication faileddecode can't handle type %sdeprecated randomized filesdocuments.microsoftazure.deed25519: verification erroreks-auth.af-south-1.api.awseks-auth.ap-south-1.api.awseks-auth.ap-south-2.api.awseks-auth.eu-north-1.api.awseks-auth.eu-south-1.api.awseks-auth.eu-south-2.api.awseks-auth.me-south-1.api.awsexpand slice: cannot changeexpected a digit but got %qexpected low surrogate areaexpression nests too deeplyfailed to set sweep barrierfips-verification-us-east-1fips-verification-us-east-2fips-verification-us-west-1fips-verification-us-west-2frame_pushpromise_pad_shortframe_rststream_zero_streamfse decompress returned: %wgcstopm: not waiting for gcglobal.health.amazonaws.comgrowslice: len out of rangehkdf: entropy limit reachedhttp chunk length too largehttp2: response body closedhttp: invalid Cookie.Domainhttps://api.loganalytics.iohttps://api.loganalytics.ushttps://datalake.azure.net/https://graph.microsoft.us/icmp node information queryincomplete UTF-16 characterinput overflows the modulusinsufficient security levelinternal lockOSThread errorinvalid ASN.1 from SignASN1invalid HTTP header name %qinvalid Message.Mutable on invalid P224 point encodinginvalid P256 point encodinginvalid P384 point encodinginvalid P521 point encodinginvalid argument to Shuffleinvalid character <<%c>> %sinvalid dependent stream IDinvalid leading UTF-8 octetinvalid profile bucket typeinvalid schema or transportinvalid signature algorithminvalid struct key type: %vinvalid type for comparisoninvalid type name length %dkey was
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: The `Content-Length` header must be zero and the body must be empty.The upload is to the registry. The upload must be restarted.^[ABCEGHJKLMNPRSTVXY]\d[ABCEGHJ-NPRSTV-Z][ ]?\d[ABCEGHJ-NPRSTV-Z]\d$big: invalid 2nd argument to Int.Jacobi: need odd integer but got %sbytes/string in stream must decode into slice/array of bytes, not %vcannot decode into nil map[int32]interface{} given stream length: %vcannot decode into nil map[uint8]interface{} given stream length: %vcomma-separated list of pattern=N settings for file-filtered loggingcrypto/hmac: hash generation function does not produce unique valuesdamaged Import Table information. ILT and/or IAT appear to be brokendbus.Store: type mismatch: map: cannot convert a value of %s into %sdbus.Store: type mismatch: slice: cannot store a value of %s into %sdecoding int array or slice: length exceeds input size (%d elements)embedded IPv4 address must replace the final 2 fields of the addressexpected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS, but got %vexpecting the prefix to be the "urn" string (whatever case) [col %d]extension %v does not implement protoreflect.ExtensionTypeDescriptorgo package net: built with netgo build tag; using Go's DNS resolver
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: net/addrselect.go
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: github.com/saferwall/pe@v1.4.8/loadconfig.go
Source: LisectAVT_2403002A_326.exe	String found in binary or memory: google.golang.org/grpc@v1.62.1/internal/balancerload/load.go

Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe "C:\Users\user\Desktop\LisectAVT_2403002A_326.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior

Source: LisectAVT_2403002A_326.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: LisectAVT_2403002A_326.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: LisectAVT_2403002A_326.exe

Static file information: File size 23900169 > 1048576

Source: LisectAVT_2403002A_326.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x913e00
Source: LisectAVT_2403002A_326.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x162e00
Source: LisectAVT_2403002A_326.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xc04c00

Source: LisectAVT_2403002A_326.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: LisectAVT_2403002A_326.exe, LisectAVT_2403002A_326.exe, 00000000.00000003.1860143166.00000225FA9F0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_326.exe, 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_326.exe, 00000000.00000002.1889998486.000000C000D6F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: LisectAVT_2403002A_326.exe, 00000000.00000003.1860143166.00000225FA9F0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_326.exe, 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_326.exe, 00000000.00000002.1889998486.000000C000D6F000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_0306918C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_0306918C

Source: LisectAVT_2403002A_326.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000BA23BD push ecx; ret	0_2_000000C000BA23D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000BA1F84 push ecx; ret	0_2_000000C000BA1F97
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000B86C7E pushad ; retf	0_2_000000C000B883B9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D31F84 push ecx; ret	0_2_000000C000D31F97
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D323BD push ecx; ret	0_2_000000C000D323D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000D16C7E pushad ; retf	0_2_000000C000D183B9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000CE0AC5 push ecx; ret	0_2_000000C000CE0AD8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_030676C5 push ecx; ret	1_2_030676D8

Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking computer name)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Evasive API call chain: GetComputerName,DecisionNodes,ExitProcess

graph_1-11592

Found evasive API chain (may stop execution after checking locale)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_1-11589

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

API coverage: 7.4 %

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_03051120 GetSystemInfo,

1_2_03051120

Source: BitLockerToGo.exe, 00000001.00000002.1872504187.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware`
Source: BitLockerToGo.exe, 00000001.00000002.1872504187.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1890618818.00000225D3112000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_03067B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_03067B4E

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

1_2_0306918C

Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Code function: 0_2_000000C000CDF1C0 mov eax, dword ptr fs:[00000030h]		0_2_000000C000CDF1C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_03065DC0 mov eax, dword ptr fs:[00000030h]		1_2_03065DC0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_03067B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_03067B4E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_030673DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_030673DD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_03069DC7 SetUnhandledExceptionFilter,	1_2_03069DC7

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3050000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3050000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3050000			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2E9C008			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_030643C0 GetUserNameA,

1_2_030643C0

Stealing of Sensitive Information

Yara detected Go Injector

Source: Yara match	File source: LisectAVT_2403002A_326.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.1894092597.00007FF6ABCF7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1703746830.00007FF6ABCF7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_326.exe PID: 6992, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_326.exe.225fa740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000a56000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_326.exe.225fa740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_326.exe.225fa770000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_326.exe.225fa770000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BitLockerToGo.exe.3050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BitLockerToGo.exe.3050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000cca000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000cca000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000a56000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889291210.000000C000AA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889291210.000000C000980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889291210.000000C000A7C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889998486.000000C000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889998486.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1871312660.00000225FA770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889291210.000000C000AC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1805039527.00000225FA740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_326.exe.225fa740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000a56000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_326.exe.225fa740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_326.exe.225fa770000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_326.exe.225fa770000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BitLockerToGo.exe.3050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000a56000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BitLockerToGo.exe.3050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000cca000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000cca000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889291210.000000C000AA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889291210.000000C000980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889291210.000000C000A7C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889998486.000000C000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889998486.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1871312660.00000225FA770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889291210.000000C000AC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1805039527.00000225FA740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Go Injector

Source: Yara match	File source: LisectAVT_2403002A_326.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.1894092597.00007FF6ABCF7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1703746830.00007FF6ABCF7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_326.exe PID: 6992, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_326.exe.225fa740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000a56000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_326.exe.225fa740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_326.exe.225fa770000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_326.exe.225fa770000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BitLockerToGo.exe.3050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BitLockerToGo.exe.3050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000cca000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000cca000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000a56000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889291210.000000C000AA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889291210.000000C000980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889291210.000000C000A7C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889998486.000000C000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889998486.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1871312660.00000225FA770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889291210.000000C000AC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1805039527.00000225FA740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_326.exe.225fa740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000a56000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_326.exe.225fa740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_326.exe.225fa770000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_326.exe.225fa770000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BitLockerToGo.exe.3050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000a56000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BitLockerToGo.exe.3050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000cca000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000cca000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889291210.000000C000AA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889291210.000000C000980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889291210.000000C000A7C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889998486.000000C000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889998486.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1871312660.00000225FA770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1889291210.000000C000AC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1805039527.00000225FA740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	21 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	212 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_326.exe	100%	Avira	TR/AVI.Stealc.ebcnf

Source	Detection	Scanner	Label
https://onsi.github.io/gomega/#adjusting-output	0%	Avira URL Cloud	safe
https://auth.docker.com/	0%	Avira URL Cloud	safe
http://193.143.1.226/129edec4272dc2c8.php	100%	Avira URL Cloud	malware
http://html4/loose.dtd	0%	Avira URL Cloud	safe
https://cosmos.azure.comhttps://vault.azure.net/iam.us-gov.amazonaws.comidna:	0%	Avira URL Cloud	safe
https://batch.cloudapi.de/https://gallery.azure.com/https://graph.cloudapi.de/https://graph.windows.	0%	Avira URL Cloud	safe
https://github.com/uber-go/dig/issues/new	0%	Avira URL Cloud	safe
https://api.loganalytics.iohttps://api.loganalytics.ushttps://datalake.azure.net/https://graph.micro	0%	Avira URL Cloud	safe
https://vault.azure.cn/https://vault.azure.netimage/x-portable-anymapimage/x-portable-bitmapimage/x-	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
https://manage.windowsazure.us/publishsettings/indexinternal	0%	Avira URL Cloud	safe
http://www.opengis.net/gml	0%	Avira URL Cloud	safe
http://earth.google.com/kml/2.2	0%	Avira URL Cloud	safe
https://database.chinacloudapi.cn/https://gallery.usgovcloudapi.net/https://login.microsoftonline.co	0%	Avira URL Cloud	safe
http://www.collada.org/2005/11/COLLADASchema	0%	Avira URL Cloud	safe
http://earth.google.com/kml/2.1	0%	Avira URL Cloud	safe
http://www.topografix.com/GPX/1/1	0%	Avira URL Cloud	safe
http://earth.google.com/kml/2.0	0%	Avira URL Cloud	safe
http://www.opengis.net/gml/3.2	0%	Avira URL Cloud	safe
http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2	0%	Avira URL Cloud	safe
http://www.opengis.net/kml/2.2	0%	Avira URL Cloud	safe
http://www.opengis.net/gml/3.3/exr	0%	Avira URL Cloud	safe
https://vault.azure.cniam-fips.amazonaws.comidna:	0%	Avira URL Cloud	safe
https://manage.windowsazure.com/publishsettings/indexillegal	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
https://onsi.github.io/gomega/#eventually	0%	Avira URL Cloud	safe
https://manage.chinacloudapi.com/publishsettings/indexhttps://manage.microsoftazure.de/publishsettin	0%	Avira URL Cloud	safe
https://ossrdbms-aad.database.chinacloudapi.cningest.timestream-fips.us-east-1.amazonaws.comingest.t	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://193.143.1.226/129edec4272dc2c8.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
https://onsi.github.io/gomega/#adjusting-output	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
https://auth.docker.com/	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
https://batch.cloudapi.de/https://gallery.azure.com/https://graph.cloudapi.de/https://graph.windows.	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
https://vault.azure.cn/https://vault.azure.netimage/x-portable-anymapimage/x-portable-bitmapimage/x-	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
https://github.com/uber-go/dig/issues/new	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
http://.css	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
https://cosmos.azure.comhttps://vault.azure.net/iam.us-gov.amazonaws.comidna:	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
https://api.loganalytics.iohttps://api.loganalytics.ushttps://datalake.azure.net/https://graph.micro	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
https://manage.windowsazure.us/publishsettings/indexinternal	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
http://www.opengis.net/gml	LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://database.chinacloudapi.cn/https://gallery.usgovcloudapi.net/https://login.microsoftonline.co	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
http://www.collada.org/2005/11/COLLADASchema	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
http://www.topografix.com/GPX/1/1	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
http://earth.google.com/kml/2.2	LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://earth.google.com/kml/2.0	LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://earth.google.com/kml/2.1	LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.opengis.net/gml/3.2	LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2	LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://manage.windowsazure.com/publishsettings/indexillegal	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
http://www.opengis.net/kml/2.2	LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.opengis.net/gml/3.3/exr	LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://vault.azure.cniam-fips.amazonaws.comidna:	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
http://.jpg	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
https://ossrdbms-aad.database.chinacloudapi.cningest.timestream-fips.us-east-1.amazonaws.comingest.t	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
https://manage.chinacloudapi.com/publishsettings/indexhttps://manage.microsoftazure.de/publishsettin	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown
https://onsi.github.io/gomega/#eventually	LisectAVT_2403002A_326.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482336
Start date and time:	2024-07-25 21:35:39 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_326.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@0/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 74% Number of executed functions: 10 Number of non-executed functions: 54
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target LisectAVT_2403002A_326.exe, PID 6992 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: LisectAVT_2403002A_326.exe

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.725086869319357
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	LisectAVT_2403002A_326.exe
File size:	23'900'169 bytes
MD5:	14e1e4337af72bdba22538a1bc405427
SHA1:	9bacc38599dab1dcf1216d24c2816a6f016ce04a
SHA256:	339ea64849ebf88f3c2f7195c572ff95bf71099eed82cee1af3f1d2b2b591c9e
SHA512:	c44934c580df9cd2b1dcefed6b5ae3362836e8a2cc271aabd6369121b674f9f6cf0c80791f03df91b5b15ec853ca4b4671945e2d20f38979b14617bb7de4dd2b
SSDEEP:	98304:qldWlVlUxo2Gy9MXyF9NI5+RaUDPXELo22c1pLeIzfMjY9OEXEVGIqoA2Ry6L3B4:A8oX94I7fDfELo2rLeIzfMjYU1q
TLSH:	58373943F98241E4C6A9D130C5268622BB717C894B3427D73B60F7B42E76BD4AF7A364
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.>....l................@..............................s......Tm...`... ............................

File Icon


Icon Hash:	4541414141454545

Static PE Info

General

Entrypoint:	0x1400014c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x40909820, 0x1, 0x409097f0, 0x1, 0x4090d250, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	515b93963b389b2d17fb117ab88598b2

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0167AE45h]
mov dword ptr [eax], 00000001h
call 00007F71D8B76DCFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0167AE25h]
mov dword ptr [eax], 00000000h
call 00007F71D8B76DAFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F71D948A1D4h
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F71D8B770E9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp dword ptr [eax]
inc edi
outsd
and byte ptr [edx+75h], ah
imul ebp, dword ptr [esp+20h], 203A4449h
and dh, byte ptr [edi+70h]
inc edx
outsd
imul esi, dword ptr [ebx], 6F4B4836h
jo 00007F71D8B7717Dh
xor al, 77h
xor dl, byte ptr [ecx+36h]
outsb
inc edx
cmp dword ptr [edi], ebp
dec eax
dec ecx
imul esi, dword ptr [ebx], 58h
jne 00007F71D8B77189h
dec ecx
push ebx
jns 00007F71D8B77143h
push edx
insb
xor edi, dword ptr [ecx+6Ch]
inc ebp
dec ebp
dec esp
jo 00007F71D8B77141h
jnbe 00007F71D8B77156h
je 00007F71D8B77148h
jnbe 00007F71D8B77146h
dec edi
push 45536771h
add byte ptr fs:[eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x16f1000	0x73	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x16f2000	0x1394	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16f6000	0xe261	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x167d000	0x4b0c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1705000	0x37e3c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x167bc60	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16f2480	0x430	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x913d80	0x913e00	971a76b238f8be993b402732b124e928	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x915000	0x162d10	0x162e00	84cd94407adbb3e85a1f0a7a568244bb	False	0.3876784574233885	dBase III DBT, version number 0, next free block index 10, 1st item "bJ/WzJUwBf8UiaSzgX7aMclParm9/5Vgp+TY51uBQ="	5.284282153894391	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa78000	0xc04b20	0xc04c00	49109e9933f14b15d0d86269fda0b6d2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x167d000	0x4b0c	0x4c00	416462cceb6e58df6507a24b52882d36	False	0.43133223684210525	data	5.734502474931372	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x1682000	0x2844	0x2a00	8f078a1b514fbbe017342cb010ef209b	False	0.12174479166666667	data	2.9597790689164767	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x1685000	0x6b2a0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x16f1000	0x73	0x200	b914f27170584722b82270b9ae0d9ac1	False	0.162109375	data	1.3362968586390784	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x16f2000	0x1394	0x1400	a75f70f4f1eb93ef270a0e6e5e7e08da	False	0.3189453125	data	4.691305652897185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x16f4000	0x70	0x200	13a4ad80f8e6cb2cfafd570322895bb9	False	0.083984375	data	0.47677526113352753	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x16f5000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x16f6000	0xe261	0xe400	ee627969b4dd932cf3a3c887c584e03f	False	0.1473924067982456	data	4.44310827339348	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1705000	0x37e3c	0x38000	2fa80101789f66b8f24dfda1abd16c54	False	0.15942818777901785	data	5.4477481181414396	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x16f6370	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.2701612903225806
RT_ICON	0x16f6658	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.40878378378378377
RT_ICON	0x16f6780	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688			0.21961620469083157
RT_ICON	0x16f7628	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152			0.33664259927797835
RT_ICON	0x16f7ed0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320			0.5158959537572254
RT_ICON	0x16f8438	0xf89	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.8770429972340961
RT_ICON	0x16f93c4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.039560699102503545
RT_ICON	0x16fd5ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.053319502074688795
RT_ICON	0x16ffb94	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720			0.06079881656804734
RT_ICON	0x17015fc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.06777673545966229
RT_ICON	0x17026a4	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.12827868852459015
RT_ICON	0x170302c	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680			0.13372093023255813
RT_ICON	0x17036e4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.17907801418439717
RT_GROUP_ICON	0x1703b4c	0xbc	data			0.648936170212766
RT_VERSION	0x1703c08	0x320	data	English	United States	0.42875
RT_MANIFEST	0x1703f28	0x339	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4678787878787879

Imports

DLL	Import
KERNEL32.dll	AddAtomA, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler
msvcrt.dll	___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen
OPENGL32.dll	wglGetProcAddress

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 21:37:22.275957108 CEST	53	64625	162.159.36.2	192.168.2.4
Jul 25, 2024 21:37:22.874406099 CEST	53	58140	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	15:36:34
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_326.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_326.exe"
Imagebase:	0x7ff6aac20000
File size:	23'900'169 bytes
MD5 hash:	14E1E4337AF72BDBA22538A1BC405427
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1889291210.000000C000B3A000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1889291210.000000C000AA2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.1889291210.000000C000AA2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1889291210.000000C000980000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.1889291210.000000C000980000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1889291210.000000C000AEE000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1889291210.000000C000A7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.1889291210.000000C000A7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1889998486.000000C000CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.1889998486.000000C000CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1889291210.000000C000BC0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1889998486.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.1889998486.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000003.1871312660.00000225FA770000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000003.1871312660.00000225FA770000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1889291210.000000C000AC8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.1889291210.000000C000AC8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000003.1805039527.00000225FA740000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000003.1805039527.00000225FA740000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000002.1894092597.00007FF6ABCF7000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000000.1703746830.00007FF6ABCF7000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:36:50
Start date:	25/07/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Imagebase:	0xbb0000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 000000C000B86C7E Relevance: 12.6, Strings: 8, Instructions: 2564COMMON

Download Yara Rule

Strings

<@, xrefs: 000000C000B87078
D@, xrefs: 000000C000B87750
2@, xrefs: 000000C000B87444
?@, xrefs: 000000C000B872F4
6@, xrefs: 000000C000B87E28
E@, xrefs: 000000C000B8784C
2@, xrefs: 000000C000B87F64
5@, xrefs: 000000C000B87DA8

Memory Dump Source

Source File: 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000B86000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000b86000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID: 2@$2@$5@$6@$<@$?@$D@$E@
API String ID: 0-4177799495
Opcode ID: ea8d41c493efc9e565d1e34f4f082510168f71bbfd19e5a54daf489bb2c170eb
Instruction ID: b4e93411e1dfa1398b1c14a7aac2006f40cc96448ba85347776e55f22af3dd3c
Opcode Fuzzy Hash: ea8d41c493efc9e565d1e34f4f082510168f71bbfd19e5a54daf489bb2c170eb
Instruction Fuzzy Hash: FC23BD9148E7C25FD31387B019796907FB0AE13128B2E56DFC4D2CB4A3D68D998BC722

Function 000000C000D16C7E Relevance: 12.6, Strings: 8, Instructions: 2564COMMON

Download Yara Rule

Strings

?@, xrefs: 000000C000D172F4
2@, xrefs: 000000C000D17444
2@, xrefs: 000000C000D17F64
5@, xrefs: 000000C000D17DA8
6@, xrefs: 000000C000D17E28
E@, xrefs: 000000C000D1784C
D@, xrefs: 000000C000D17750
<@, xrefs: 000000C000D17078

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000D16000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000d16000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID: 2@$2@$5@$6@$<@$?@$D@$E@
API String ID: 0-4177799495
Opcode ID: ea8d41c493efc9e565d1e34f4f082510168f71bbfd19e5a54daf489bb2c170eb
Instruction ID: caeb9652a74d4a11b4e96c9502badf71ff1ed12c842c6feebce94edf6b20ae54
Opcode Fuzzy Hash: ea8d41c493efc9e565d1e34f4f082510168f71bbfd19e5a54daf489bb2c170eb
Instruction Fuzzy Hash: 9F23BD9148E7C25FD71387B059796907FB0AE13128B2E56DFC4D2CB4A3D29D898BC722

Function 000000C000B97FE0 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 390COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 000000C000B982AB

Strings

), xrefs: 000000C000B98489

Memory Dump Source

Source File: 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000B86000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000b86000_LisectAVT_2403002A_326.jbxd

Similarity

API ID: __aulldiv
String ID: )
API String ID: 3732870572-2427484129
Opcode ID: 2eada17c72195a8567888d63534ea42dd42b4dee61b44744c02ecb5eeb4a516e
Instruction ID: a8e06fe986f95dc097e980605ab712a89f02911b6398cea81058fc3e054df7df
Opcode Fuzzy Hash: 2eada17c72195a8567888d63534ea42dd42b4dee61b44744c02ecb5eeb4a516e
Instruction Fuzzy Hash: 49022E75D0021ADBFB54CF65C480BADBBF1BF09714F254269EA14AB396DB30A841CFA4

Function 000000C000D27FE0 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 390COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 000000C000D282AB

Strings

), xrefs: 000000C000D28489

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000D16000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000d16000_LisectAVT_2403002A_326.jbxd

Similarity

API ID: __aulldiv
String ID: )
API String ID: 3732870572-2427484129
Opcode ID: 2eada17c72195a8567888d63534ea42dd42b4dee61b44744c02ecb5eeb4a516e
Instruction ID: 09ce6f83e0ca4bf50b3dc1a8ea0494edbc0cfb0dfb1d6a906861ae3155aba4f1
Opcode Fuzzy Hash: 2eada17c72195a8567888d63534ea42dd42b4dee61b44744c02ecb5eeb4a516e
Instruction Fuzzy Hash: AF024E75D0121ACBEF14DF64C480BAEBBF1BF18714F25426ADD14AB385DB319841DBA4

Function 000000C000B978C0 Relevance: 1.8, APIs: 1, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000B86000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000b86000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cf0b7dab734c51792b9837063e471816dc57cf297eb060cd645a662e28f3ec
Instruction ID: 96c0cdbb1f5ba794ae3cb4102450d629f547c031bf03fa2ecab36410b1dc5915
Opcode Fuzzy Hash: a0cf0b7dab734c51792b9837063e471816dc57cf297eb060cd645a662e28f3ec
Instruction Fuzzy Hash: 15D18D70A58612DBE768CF28C480F6AB7E1BF45318F2647A9DA549B281DB30EC45CFD1

Function 000000C000D278C0 Relevance: 1.8, APIs: 1, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000D16000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000d16000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cf0b7dab734c51792b9837063e471816dc57cf297eb060cd645a662e28f3ec
Instruction ID: 9d3f7d80aabaf157ddecc53d0e12e8116d6a0b317cb7679838a1b0f299810de2
Opcode Fuzzy Hash: a0cf0b7dab734c51792b9837063e471816dc57cf297eb060cd645a662e28f3ec
Instruction Fuzzy Hash: 74D16B75A08612CBFB74CF28C480F6AB7E1BF55318F26476AE8549B281D730E855CBE1

Function 000000C000B9F992 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 000000C000B9FA01

Memory Dump Source

Source File: 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000B86000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000b86000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6ad8362f019051a5dee9ab5c7622f498f50d44dd871cddd89372ed5cdb3ebb9f
Instruction ID: 3de7c884989f3bb647fcbd462b686344f490b0ec0f6372e131c528ee3035b7e1
Opcode Fuzzy Hash: 6ad8362f019051a5dee9ab5c7622f498f50d44dd871cddd89372ed5cdb3ebb9f
Instruction Fuzzy Hash: B2711CB1E0022ACFDB64CF29C984B99F7F5BB48314F1582E9DA19EB251D6309E81CF54

Function 000000C000D2F992 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 000000C000D2FA01

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000D16000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000d16000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6ad8362f019051a5dee9ab5c7622f498f50d44dd871cddd89372ed5cdb3ebb9f
Instruction ID: ce14b55a41a10ffad6f26075b5a191c0e08c97dc5d938cd3d50c3f45f0a4f5a4
Opcode Fuzzy Hash: 6ad8362f019051a5dee9ab5c7622f498f50d44dd871cddd89372ed5cdb3ebb9f
Instruction Fuzzy Hash: 04710CB1E00229CFDB64CF29C980B99F7F5BB58314F1586FADA19A7241D6309E81CF54

Function 000000C000B91500 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000B86000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000b86000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd97ff44b9229a4f039a192da0a4aa74772c4fdccadc959e2881fb76c5363f16
Instruction ID: 7975dd7cb66c3e2b7c86e0af74a3dce71a17f68455f6e0dfc49acc0d643bacdb
Opcode Fuzzy Hash: cd97ff44b9229a4f039a192da0a4aa74772c4fdccadc959e2881fb76c5363f16
Instruction Fuzzy Hash: 14D1F774A00116DAFB649F2CCC94FBE73B5EB44304F66CAA9EA4AD61C1DA304D86DF10

Function 000000C000D21500 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000D16000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000d16000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd97ff44b9229a4f039a192da0a4aa74772c4fdccadc959e2881fb76c5363f16
Instruction ID: 7ff37ca655e9e061c1b393ebcb452aadcaa56ae025e6e64190a2424224f59e86
Opcode Fuzzy Hash: cd97ff44b9229a4f039a192da0a4aa74772c4fdccadc959e2881fb76c5363f16
Instruction Fuzzy Hash: 92D1D978600115DAFF649F28CC94FBE73B5FBA4314F65C6AAE84AD6180DA304E85CF60

Function 000000C000B96710 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000B86000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000b86000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76286e0e62048cb97cca35ae809e2ce93e7d3cd713394b6ec5ae686681172e89
Instruction ID: 7e2c4c47e0bb326596d79b02cfc054a7256a7306c69360a55b6063b0daa65eb8
Opcode Fuzzy Hash: 76286e0e62048cb97cca35ae809e2ce93e7d3cd713394b6ec5ae686681172e89
Instruction Fuzzy Hash: 5EC1B875901225CBEF25DF68C894BEA77F1AF48308F3642A9D9499B282D734DD82CF50

Function 000000C000D26710 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000D16000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000d16000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76286e0e62048cb97cca35ae809e2ce93e7d3cd713394b6ec5ae686681172e89
Instruction ID: 89bcea5d6412548f464a08bf58ebb4ca398b09d6030e757353c221c52bd4a428
Opcode Fuzzy Hash: 76286e0e62048cb97cca35ae809e2ce93e7d3cd713394b6ec5ae686681172e89
Instruction Fuzzy Hash: 1DC1C975901365CBEF24DF24C894BAA77E1AF58308F2542EAD8599B282D731DD82CF60

Function 000000C000B9FBB9 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000B86000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000b86000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bacf3f0c7ebe69b94297e4f2d66653521981c86d2e3a41803a07cc1db4196980
Instruction ID: f5c37381bf6c93c4f4634aa90158975508f49a39402ea58dabd326fc921bbdc6
Opcode Fuzzy Hash: bacf3f0c7ebe69b94297e4f2d66653521981c86d2e3a41803a07cc1db4196980
Instruction Fuzzy Hash: 18C120B1A0022A8FDB64CF28C880B99B7F5FF48314F2582E9DA09E7251D771AD85CF44

Function 000000C000D2FBB9 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000D16000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000d16000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bacf3f0c7ebe69b94297e4f2d66653521981c86d2e3a41803a07cc1db4196980
Instruction ID: eb7fed96efd0ffebe1d4115e0654d9bce1d25bea98a4f5f8a445aaac731ccef9
Opcode Fuzzy Hash: bacf3f0c7ebe69b94297e4f2d66653521981c86d2e3a41803a07cc1db4196980
Instruction Fuzzy Hash: E2C140B1A00229CFEB64CF28C980B99B7F5BF58314F2586FAD909A7241D7319E85CF54

Function 000000C000B90490 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000B86000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000b86000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952b01ec1ca367968e89b5b9a4dc5fc3886a3aef8b3f6603b30ba398917679dd
Instruction ID: ac7e528a29c835b23772e8287142b3a283c2907f648a8c3698ed385438c61e39
Opcode Fuzzy Hash: 952b01ec1ca367968e89b5b9a4dc5fc3886a3aef8b3f6603b30ba398917679dd
Instruction Fuzzy Hash: 9D71B231214205DFF691BB748889F6E36D9AB85368F328729F615C21E2CB78DD01CF56

Function 000000C000D20490 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000D16000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000d16000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952b01ec1ca367968e89b5b9a4dc5fc3886a3aef8b3f6603b30ba398917679dd
Instruction ID: f556e23f99cd07cf23ab61a50854696ee89449bbffcf43d98315538db7b30328
Opcode Fuzzy Hash: 952b01ec1ca367968e89b5b9a4dc5fc3886a3aef8b3f6603b30ba398917679dd
Instruction Fuzzy Hash: 7471A130604245EBFE919F348889FAE7AE9AB95318F32472BF405C31D3CB649D05CA76

Function 000000C000B961A0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000B86000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000b86000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180ed03c200cb032ffb390f5e44af75093ac241141d29e663b8a0feacf354f6f
Instruction ID: 217804fc55642c57b6c0e1e05f4cf994b1cbcd3adbe6dac2d5fb652fed10db5c
Opcode Fuzzy Hash: 180ed03c200cb032ffb390f5e44af75093ac241141d29e663b8a0feacf354f6f
Instruction Fuzzy Hash: 3B61D675A046449FE711CF58C091BEAFBF0EF46314F258689D8989B383E235A446CB90

Function 000000C000D261A0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000D16000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000d16000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180ed03c200cb032ffb390f5e44af75093ac241141d29e663b8a0feacf354f6f
Instruction ID: dffc42b3a98f4a82c18cc843c87d7edb55cc5ebfd3beafe75afd36846ba8d686
Opcode Fuzzy Hash: 180ed03c200cb032ffb390f5e44af75093ac241141d29e663b8a0feacf354f6f
Instruction Fuzzy Hash: 6461D575E046449FEB11CF58C091BEAFBF0EF56314F25868AD8988B383D235E546CBA0

Function 000000C000B9F489 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000B86000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000b86000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a35fdefb7b911916dabae78f6a8c18db95561a798d5e129b14450f2370ae0f4
Instruction ID: 63f990a44292f5260f90bdf589d9ea1626f504c25dc397e541a8f797376e4767
Opcode Fuzzy Hash: 4a35fdefb7b911916dabae78f6a8c18db95561a798d5e129b14450f2370ae0f4
Instruction Fuzzy Hash: 8F518372E0021A9FCB04CFAEC5845AEFBF5FF88314B2586AAD514E7314D770AA458F94

Function 000000C000D2F489 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000D16000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000d16000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a35fdefb7b911916dabae78f6a8c18db95561a798d5e129b14450f2370ae0f4
Instruction ID: 196737a540dc3fff2b578a486cd0fd43859a0ac9a0e883c69332a8aeadf7ca82
Opcode Fuzzy Hash: 4a35fdefb7b911916dabae78f6a8c18db95561a798d5e129b14450f2370ae0f4
Instruction Fuzzy Hash: 3C5171B2E0021A9FCB04CFAEC58459EFBF5FF88314B2586AAD414E7314D770AA458F94

Function 000000C000B9F1DA Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000B86000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000b86000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2f6e3b69cda0e33844df2993c98208fb269686146d4b4754df0909aea0f353
Instruction ID: 9d5285b04afffca82bea465b233e7cacfcb2c5c60f32443760fe0ba3c5579c35
Opcode Fuzzy Hash: fa2f6e3b69cda0e33844df2993c98208fb269686146d4b4754df0909aea0f353
Instruction Fuzzy Hash: A3517475E0021A8FCB44CFA9C5885AEF7F5FF88310B25856AD914E7304E731AA51CFA1

Function 000000C000D2F1DA Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000D16000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000d16000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2f6e3b69cda0e33844df2993c98208fb269686146d4b4754df0909aea0f353
Instruction ID: 35851c5b84f764465c007a8e1548f94359d6547819c8b360caab443a7e406d50
Opcode Fuzzy Hash: fa2f6e3b69cda0e33844df2993c98208fb269686146d4b4754df0909aea0f353
Instruction Fuzzy Hash: D7516475E0021A8FCB44CFA9C5885AEF7F5FF88310B25856AD814E7304E731AA51CFA1

Function 000000C000B9F33B Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000B86000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000b86000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79607063d36ac048d0c756a7f4629638d5d2946ff9a9e9f7ee67944044d295d0
Instruction ID: b71121a98283b03486f9cae1874b7e388e401ea9ab923db16aa93c5c0b713215
Opcode Fuzzy Hash: 79607063d36ac048d0c756a7f4629638d5d2946ff9a9e9f7ee67944044d295d0
Instruction Fuzzy Hash: 8F51C5B5E006169FCB04CFA9C5809AEFBF5FF8C310B15862AD815A3704E7746A62CF90

Function 000000C000D2F33B Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000D16000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000d16000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79607063d36ac048d0c756a7f4629638d5d2946ff9a9e9f7ee67944044d295d0
Instruction ID: 36ab371e319ace409fbe6828f0c300d2221eb91c269db31251cb6065ce9ff312
Opcode Fuzzy Hash: 79607063d36ac048d0c756a7f4629638d5d2946ff9a9e9f7ee67944044d295d0
Instruction Fuzzy Hash: A151B8B5E006169FCB14CF99C5805AEFBF5FF8C310B15866AD815A3704E7746A62CFA0

Function 000000C000B9F60E Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000B86000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000b86000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee2bda98671176044f3f2b7d2791a70fb3106e2f99b475ad10d6ed87f6835df
Instruction ID: 2fe9585d11f240fc01cbd403728102ef976908cf56c16f03dab177550be320f3
Opcode Fuzzy Hash: 2ee2bda98671176044f3f2b7d2791a70fb3106e2f99b475ad10d6ed87f6835df
Instruction Fuzzy Hash: E5418070A00B06AFC794CF69D580A9AF7F0FF58324B108669D559D3A01D730FAA5CF94

Function 000000C000D2F60E Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000D16000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000d16000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee2bda98671176044f3f2b7d2791a70fb3106e2f99b475ad10d6ed87f6835df
Instruction ID: c338f4b3d43204c79a932526a5ccd037b6591749faeb73d23a0f981e2f8d57f5
Opcode Fuzzy Hash: 2ee2bda98671176044f3f2b7d2791a70fb3106e2f99b475ad10d6ed87f6835df
Instruction Fuzzy Hash: E5418170A00B06AFCB94CF69D580A8AF7F0FF58324B108A6AD459D3A01D730FA65CF94

Function 000000C000B9F731 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000B86000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000b86000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03414227deb67863d8fdb8d2308ddf28e1b949574b55185ea76df967b3bd812c
Instruction ID: f8af6fd9e0c5901293952210f18d1c6e2029bece5ef5fce2c0eb0e015d2760e2
Opcode Fuzzy Hash: 03414227deb67863d8fdb8d2308ddf28e1b949574b55185ea76df967b3bd812c
Instruction Fuzzy Hash: 7121D571901214DFCB08CF79C68958AFBB5FF88324B2581AAD916DB231D331E942CF90

Function 000000C000D2F731 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000D16000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000d16000_LisectAVT_2403002A_326.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03414227deb67863d8fdb8d2308ddf28e1b949574b55185ea76df967b3bd812c
Instruction ID: 2457380be68f6f21c43c4c6d9a09c0a934836d986cbc1045398e564f7fd912d6
Opcode Fuzzy Hash: 03414227deb67863d8fdb8d2308ddf28e1b949574b55185ea76df967b3bd812c
Instruction Fuzzy Hash: B221D571901214DFDB08CF79C68958AFBB5FF88324B2585AAD816DB231D331E942CFA0

Function 000000C000CDF1C0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000CCA000, based on PE: true

Associated: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000cca000_LisectAVT_2403002A_326.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 000000C000CE292A Relevance: 129.2, APIs: 86, Instructions: 188COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000000C000CE293E
_free.LIBCMT ref: 000000C000CE2946
_free.LIBCMT ref: 000000C000CE294E
_free.LIBCMT ref: 000000C000CE2956
_free.LIBCMT ref: 000000C000CE295E
_free.LIBCMT ref: 000000C000CE2966
_free.LIBCMT ref: 000000C000CE296D
_free.LIBCMT ref: 000000C000CE2975
_free.LIBCMT ref: 000000C000CE297D
_free.LIBCMT ref: 000000C000CE2985
_free.LIBCMT ref: 000000C000CE298D
_free.LIBCMT ref: 000000C000CE2995
_free.LIBCMT ref: 000000C000CE299D
_free.LIBCMT ref: 000000C000CE29A5
_free.LIBCMT ref: 000000C000CE29AD
_free.LIBCMT ref: 000000C000CE29B5
_free.LIBCMT ref: 000000C000CE29C0
_free.LIBCMT ref: 000000C000CE29C8
_free.LIBCMT ref: 000000C000CE29D0
_free.LIBCMT ref: 000000C000CE29D8
_free.LIBCMT ref: 000000C000CE29E0
_free.LIBCMT ref: 000000C000CE29E8
_free.LIBCMT ref: 000000C000CE29F0
_free.LIBCMT ref: 000000C000CE29F8
_free.LIBCMT ref: 000000C000CE2A00
_free.LIBCMT ref: 000000C000CE2A08
_free.LIBCMT ref: 000000C000CE2A10
_free.LIBCMT ref: 000000C000CE2A18
_free.LIBCMT ref: 000000C000CE2A20
_free.LIBCMT ref: 000000C000CE2A28
_free.LIBCMT ref: 000000C000CE2A30
_free.LIBCMT ref: 000000C000CE2A38
_free.LIBCMT ref: 000000C000CE2A46
_free.LIBCMT ref: 000000C000CE2A51
_free.LIBCMT ref: 000000C000CE2A5C
_free.LIBCMT ref: 000000C000CE2A67
_free.LIBCMT ref: 000000C000CE2A72
_free.LIBCMT ref: 000000C000CE2A7D
_free.LIBCMT ref: 000000C000CE2A88
_free.LIBCMT ref: 000000C000CE2A93
_free.LIBCMT ref: 000000C000CE2A9E
_free.LIBCMT ref: 000000C000CE2AA9
_free.LIBCMT ref: 000000C000CE2AB4
_free.LIBCMT ref: 000000C000CE2ABF
_free.LIBCMT ref: 000000C000CE2ACA
_free.LIBCMT ref: 000000C000CE2AD5
_free.LIBCMT ref: 000000C000CE2AE0
_free.LIBCMT ref: 000000C000CE2AEB
_free.LIBCMT ref: 000000C000CE2AF9
_free.LIBCMT ref: 000000C000CE2B04
_free.LIBCMT ref: 000000C000CE2B0F
_free.LIBCMT ref: 000000C000CE2B1A
_free.LIBCMT ref: 000000C000CE2B25
_free.LIBCMT ref: 000000C000CE2B30
_free.LIBCMT ref: 000000C000CE2B3B
_free.LIBCMT ref: 000000C000CE2B46
_free.LIBCMT ref: 000000C000CE2B51
_free.LIBCMT ref: 000000C000CE2B5C
_free.LIBCMT ref: 000000C000CE2B67
_free.LIBCMT ref: 000000C000CE2B72
_free.LIBCMT ref: 000000C000CE2B7D
_free.LIBCMT ref: 000000C000CE2B88
_free.LIBCMT ref: 000000C000CE2B93
_free.LIBCMT ref: 000000C000CE2B9E
_free.LIBCMT ref: 000000C000CE2BAC
_free.LIBCMT ref: 000000C000CE2BB7
_free.LIBCMT ref: 000000C000CE2BC2
_free.LIBCMT ref: 000000C000CE2BCD
_free.LIBCMT ref: 000000C000CE2BD8
_free.LIBCMT ref: 000000C000CE2BE3
_free.LIBCMT ref: 000000C000CE2BEE
_free.LIBCMT ref: 000000C000CE2BF9
_free.LIBCMT ref: 000000C000CE2C04
_free.LIBCMT ref: 000000C000CE2C0F
_free.LIBCMT ref: 000000C000CE2C1A
_free.LIBCMT ref: 000000C000CE2C25
_free.LIBCMT ref: 000000C000CE2C30
_free.LIBCMT ref: 000000C000CE2C3B
_free.LIBCMT ref: 000000C000CE2C46
_free.LIBCMT ref: 000000C000CE2C51
_free.LIBCMT ref: 000000C000CE2C5F
_free.LIBCMT ref: 000000C000CE2C6A
_free.LIBCMT ref: 000000C000CE2C75
_free.LIBCMT ref: 000000C000CE2C80
_free.LIBCMT ref: 000000C000CE2C8B
_free.LIBCMT ref: 000000C000CE2C96

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000CCA000, based on PE: true

Associated: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000cca000_LisectAVT_2403002A_326.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction ID: c21eec0d1d73d21bd3c9a6e9ed6c21e93fe7ef2e41462771aefd7bfa26d865bc
Opcode Fuzzy Hash: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction Fuzzy Hash: 2A91DE31420AC0DAF6633B31DD02FD976AA7F84304F314A14B9DE285B3DAA368B5D795

Function 000000C000CE1C43 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 000000C000CE1C4F

Part of subcall function 000000C000CE0F2C: __getptd_noexit.LIBCMT ref: 000000C000CE0F2F
Part of subcall function 000000C000CE0F2C: __amsg_exit.LIBCMT ref: 000000C000CE0F3C

__amsg_exit.LIBCMT ref: 000000C000CE1C6F
__lock.LIBCMT ref: 000000C000CE1C7F
_free.LIBCMT ref: 000000C000CE1CAF

Strings

05B, xrefs: 000000C000CE1CA6

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000CCA000, based on PE: true

Associated: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000cca000_LisectAVT_2403002A_326.jbxd

Yara matches

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID: 05B
API String ID: 3170801528-3788103304
Opcode ID: cb1538446801220004b0e94d2aebbf41e1672ae537431284a663a37179733970
Instruction ID: baf8252d3afc2b6eb9427d28960bf835f029975e987320265aab25379df3a363
Opcode Fuzzy Hash: cb1538446801220004b0e94d2aebbf41e1672ae537431284a663a37179733970
Instruction Fuzzy Hash: 3B11A031B41791EBF620AB64D405F9977A0AB04718F3A4225FC11E72D1C7B85991CBD5

Function 000000C000CE19A7 Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 000000C000CE19B3

Part of subcall function 000000C000CE0F2C: __getptd_noexit.LIBCMT ref: 000000C000CE0F2F
Part of subcall function 000000C000CE0F2C: __amsg_exit.LIBCMT ref: 000000C000CE0F3C

__getptd.LIBCMT ref: 000000C000CE19CA
__amsg_exit.LIBCMT ref: 000000C000CE19D8
__lock.LIBCMT ref: 000000C000CE19E8
__updatetlocinfoEx_nolock.LIBCMT ref: 000000C000CE19FC

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000CCA000, based on PE: true

Associated: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000cca000_LisectAVT_2403002A_326.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: ce05a91ea9c2b8e711ac95fae42e6a284d9b9390d13ac8f67e08820a18d7d66a
Instruction ID: 0e0f752c25bc7f87e727b1239c06073765ac27b31338a922258844d1ef661fd7
Opcode Fuzzy Hash: ce05a91ea9c2b8e711ac95fae42e6a284d9b9390d13ac8f67e08820a18d7d66a
Instruction Fuzzy Hash: 3EF06232A05394DAF770BBB8D403F8936E06B00729F3B4359F814A61D3CBB859A1D799

Function 000000C000B9EF13 Relevance: 6.2, APIs: 4, Instructions: 216COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 000000C000B9EF8D
__aullrem.LIBCMT ref: 000000C000B9F083
__aulldiv.LIBCMT ref: 000000C000B9F0A8
__aulldiv.LIBCMT ref: 000000C000B9F0C6

Memory Dump Source

Source File: 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000B86000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000b86000_LisectAVT_2403002A_326.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID:
API String ID: 3839614884-0
Opcode ID: 2f2f60f2aa538a96d0b82c3916ac98ddb584364b82f1c96d42a2715327b02ca0
Instruction ID: fffa11578e5a4f984f2c38d0840c31e463d1956de22eadd7e12094c69675480a
Opcode Fuzzy Hash: 2f2f60f2aa538a96d0b82c3916ac98ddb584364b82f1c96d42a2715327b02ca0
Instruction Fuzzy Hash: 9D911E32E00125DBEF54CF98C881BADB7F6BB48324F268269E614F7281D675AD41CF94

Function 000000C000D2EF13 Relevance: 6.2, APIs: 4, Instructions: 216COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 000000C000D2EF8D
__aullrem.LIBCMT ref: 000000C000D2F083
__aulldiv.LIBCMT ref: 000000C000D2F0A8
__aulldiv.LIBCMT ref: 000000C000D2F0C6

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000D16000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000d16000_LisectAVT_2403002A_326.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID:
API String ID: 3839614884-0
Opcode ID: 2f2f60f2aa538a96d0b82c3916ac98ddb584364b82f1c96d42a2715327b02ca0
Instruction ID: 0bc84b7464fc0904003c7aeb8e21ccaa2f6ed60b004855bf7776e99c74c0abcf
Opcode Fuzzy Hash: 2f2f60f2aa538a96d0b82c3916ac98ddb584364b82f1c96d42a2715327b02ca0
Instruction Fuzzy Hash: BC915F32E00214DBEF14CF98C981F9DB7F2BF58314F66867AE914A7281D635AD41CB60

Function 000000C000B8F4F6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 000000C000B8F500

Strings

., xrefs: 000000C000B8F584
P2@, xrefs: 000000C000B8F5B6

Memory Dump Source

Source File: 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000B86000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000b86000_LisectAVT_2403002A_326.jbxd

Similarity

API ID: H_prolog3_
String ID: .$P2@
API String ID: 2427045233-1620272448
Opcode ID: d76433bb8ed8120453bf614eb48610d80d451cbc73bad96430937a88e0339460
Instruction ID: 7b8a66b5cde23ea6bba68c1adcdea4a2ac26ce2cbaf366b2f0fd5a4c606d0e69
Opcode Fuzzy Hash: d76433bb8ed8120453bf614eb48610d80d451cbc73bad96430937a88e0339460
Instruction Fuzzy Hash: 0B515370A00216CBEF50DF69C8D5BA9B7F5BF48304F1282AAD909AB261DB75DD81CF50

Function 000000C000D1F4F6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 000000C000D1F500

Strings

., xrefs: 000000C000D1F584
P2@, xrefs: 000000C000D1F5B6

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000D16000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000d16000_LisectAVT_2403002A_326.jbxd

Similarity

API ID: H_prolog3_
String ID: .$P2@
API String ID: 2427045233-1620272448
Opcode ID: d76433bb8ed8120453bf614eb48610d80d451cbc73bad96430937a88e0339460
Instruction ID: fc66150101047dc6776eaae0c12f8adea3e0760d5d25b7998d84ffab1b7f79dd
Opcode Fuzzy Hash: d76433bb8ed8120453bf614eb48610d80d451cbc73bad96430937a88e0339460
Instruction Fuzzy Hash: 26514175A00215DBEF10DF69C895BD9B7F5BF48304F2242AAD848AB261DB719E81CF60

Function 000000C000CDDD60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 000000C000CDDDAF
__aulldiv.LIBCMT ref: 000000C000CDDDBD

Strings

@, xrefs: 000000C000CDDD8A

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000CCA000, based on PE: true

Associated: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000cca000_LisectAVT_2403002A_326.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: @
API String ID: 3732870572-2766056989
Opcode ID: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction ID: 46d20d89bc2446933bb7dd2b4022983c00363890759b7100f84bda4725fe2027
Opcode Fuzzy Hash: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction Fuzzy Hash: 74110CB0D40208ABEB10DBD4CC49FAE77B9BB44705F204548F605BB2C5D7B4A9018BA8

Function 000000C000CCA5E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 000000C000CCA618
__aulldiv.LIBCMT ref: 000000C000CCA626

Strings

@, xrefs: 000000C000CCA5F3

Memory Dump Source

Source File: 00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp, Offset: 000000C000CCA000, based on PE: true

Associated: 00000000.00000002.1889998486.000000C000D16000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c000cca000_LisectAVT_2403002A_326.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: @
API String ID: 3732870572-2766056989
Opcode ID: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction ID: 2a8212aeca9c4738190cc41e1d1176db98b58bde86bb5794fdc7adbe01896aba
Opcode Fuzzy Hash: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction Fuzzy Hash: 730128B0940208EAFB20EBA0CC4DF9DBBB8AB1470DF258158F6087A1C1C7745645CB59

Analysis Process: BitLockerToGo.exePID: 7148, Parent PID: 6992COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.3%
Total number of Nodes:	1397
Total number of Limit Nodes:	16

Executed Functions

Function 030643C0 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32(?,00000104), ref: 030643EC

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 501c82fdea51c5e1cf211fb87025122c70e74dca19b518a87772bf9f5e28b131
Instruction ID: 72d8928eb1420714aaace515c73a1c1aafad0435c57561bd4ff01ebba5b8c227
Opcode Fuzzy Hash: 501c82fdea51c5e1cf211fb87025122c70e74dca19b518a87772bf9f5e28b131
Instruction Fuzzy Hash: 76E0B6B594030CABDB00EBE4E84DA9DBBB8BB08312F504195EA49E2284D67466848B91

Function 03051120 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,030636D7,0306D6E3), ref: 0305112A

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 6885288666b7db901854a90e2b8df0e21415a89b5d3c2f6833bf01285e0ebcf2
Instruction ID: 6b8cf188fd2479cf01a9e51f22299d9b0527860cad227f6b346fe99fd2f4a40d
Opcode Fuzzy Hash: 6885288666b7db901854a90e2b8df0e21415a89b5d3c2f6833bf01285e0ebcf2
Instruction Fuzzy Hash: ECD05E74D0120C8BCF04FFE5A94D6EDBBB8BB0C615F000495EC0562240E7305841CA66

Function 03065ED0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 212
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,030636C0), ref: 0306610A
LoadLibraryA.KERNELBASE(?,?,030636C0), ref: 0306611B
LoadLibraryA.KERNELBASE(?,?,030636C0), ref: 0306613F

Strings

NtQueryInformationProcess, xrefs: 0306621A

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 1029625771-2781105232
Opcode ID: 1352f2d70de9ed9ac9392f1ac3c2d01211e4db7f1838d58d586cde6ceb83e296
Instruction ID: ece51fe9f98ac52ed9f6c76fa6cdbc074d645edad4812bbfbb03a2b9ec7d2075
Opcode Fuzzy Hash: 1352f2d70de9ed9ac9392f1ac3c2d01211e4db7f1838d58d586cde6ceb83e296
Instruction Fuzzy Hash: 89A1D0B5A10200EFC744FFAAF98CA2277B9BB8E311721C619E209C729CD7759481CF95

Function 030511E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 030511FE
__aulldiv.LIBCMT ref: 03051218
__aulldiv.LIBCMT ref: 03051226

Strings

@, xrefs: 030511F3

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: @
API String ID: 2185283323-2766056989
Opcode ID: 5813d2b93a4cbf626ef52df4870751e9a25100612536db87580b7a645d0a2fc6
Instruction ID: 33b2c3eff441e93d99d80a1db737fb03e378e128472b5ac8f21b62af0c5cd152
Opcode Fuzzy Hash: 5813d2b93a4cbf626ef52df4870751e9a25100612536db87580b7a645d0a2fc6
Instruction Fuzzy Hash: 240162B0D45308FAEF14EBE0DD49B9EB7B8AF44701F248444FB04BA1C4C67555458B55

Function 030543B0 Relevance: 2.5, APIs: 2, Instructions: 44
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNELBASE(00000040,?,?,?,030636BB), ref: 030543C0
strlen.MSVCRT ref: 030543F9

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocLocalstrlen
String ID:
API String ID: 3248042016-0
Opcode ID: 9312739932d57d03f272d32755ccfbf461f4d88a41314d9265f3edae1d1cf63c
Instruction ID: 03d40d012ae59511fec94a073263fdaaf9461674532d6d737f0d7a9bdc25007f
Opcode Fuzzy Hash: 9312739932d57d03f272d32755ccfbf461f4d88a41314d9265f3edae1d1cf63c
Instruction Fuzzy Hash: 99115EB4A05248EFCB04CFA9C8D0BAEBBF5FF48305F148099E90997305C335AA60CB44

Function 030636B0 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03051120: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,030636D7,0306D6E3), ref: 0305112A

Part of subcall function 030510D0: VirtualAllocExNuma.KERNELBASE(00000000,?,?,030636DC), ref: 030510F2

Part of subcall function 030511E0: GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 030511FE
Part of subcall function 030511E0: __aulldiv.LIBCMT ref: 03051218
Part of subcall function 030511E0: __aulldiv.LIBCMT ref: 03051226

GetUserDefaultLangID.KERNELBASE ref: 030636E6

Part of subcall function 030643C0: GetUserNameA.ADVAPI32(?,00000104), ref: 030643EC

Part of subcall function 03064400: GetComputerNameA.KERNEL32(?,00000104), ref: 0306442C

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: NameUser__aulldiv$AllocComputerDefaultGlobalInfoLangMemoryNumaStatusSystemVirtual
String ID:
API String ID: 736289943-0
Opcode ID: 43e4a4831f4d1e861a328fb10faf9cae2adb1143615bdf76e28fbfd19e0f8ea7
Instruction ID: 93369c6c15b62d96dfd121806997dca8a9180ba7ee0d3ce741a3c4764ed0b3df
Opcode Fuzzy Hash: 43e4a4831f4d1e861a328fb10faf9cae2adb1143615bdf76e28fbfd19e0f8ea7
Instruction Fuzzy Hash: 23315C78902308ABDB04FBF0EC54BFFB379AF84600F004558E5126A198DFB16A04CBE5

Function 030635E0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0306D8AC,?), ref: 0306369A

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 3ebe64699b0ad77164ea0dcca000ab42cb1d513e43c67eaeeb32708aefaa4264
Instruction ID: c7e87d05b7e344561d40af3b63072911ae2bbe676dc91b33f51e4a1cfa90ecfe
Opcode Fuzzy Hash: 3ebe64699b0ad77164ea0dcca000ab42cb1d513e43c67eaeeb32708aefaa4264
Instruction Fuzzy Hash: DF21ED75D14208ABCB44EFE4E949AEEB7B5BF48300F04856EE509E3254EB345604CBA9

Function 03064400 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32(?,00000104), ref: 0306442C

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 13e073868aafaed9d25f521e9babc49a6324491972c839037f5fc6fa0500fc9d
Instruction ID: 4766df163a78a5771ed5c31e2f0094db4c89b637a0b1739ce096949a35d0ae1b
Opcode Fuzzy Hash: 13e073868aafaed9d25f521e9babc49a6324491972c839037f5fc6fa0500fc9d
Instruction Fuzzy Hash: E2E01274A01208EBDB10EFA5E949B9DB7FCBB08701F504095EA05D7244E6709A448B91

Function 030510D0 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocExNuma.KERNELBASE(00000000,?,?,030636DC), ref: 030510F2

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 7b124daf9af9cb50f1a5f9b9e4f1735a3acb6c40fa77810ec6b1c5ab3d4171e8
Instruction ID: 7e7a368210cae2aee1a7550a1c7f9f137c70a5f7a83f774212a8683108927514
Opcode Fuzzy Hash: 7b124daf9af9cb50f1a5f9b9e4f1735a3acb6c40fa77810ec6b1c5ab3d4171e8
Instruction Fuzzy Hash: E5E0E67098530CBBEB14BBA1ED1EB59B6A8FB09B02F204094F7097A1C4D6B525009699

Function 03051060 Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,17C841C0,00003000,00000004,?,?,?,0305110E,?,?,030636DC), ref: 03051073

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3c1299ea0ae145f871b403a1448ee80848febfab389f76b495ef45604f766cf2
Instruction ID: 6527cdf4ee8e0467ba6532589814ca81c8e1e474886a7ce0a0a9d483016692d9
Opcode Fuzzy Hash: 3c1299ea0ae145f871b403a1448ee80848febfab389f76b495ef45604f766cf2
Instruction Fuzzy Hash: ABF0E975641214BBE714EAB56C59FBFF3DCA705705F304544F904E7240D6719E008690

Non-executed Functions

Function 03067B4E Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 03068E46
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03068E5B
UnhandledExceptionFilter.KERNEL32(0306C690), ref: 03068E66
GetCurrentProcess.KERNEL32(C0000409), ref: 03068E82
TerminateProcess.KERNEL32(00000000), ref: 03068E89

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: ccc58e70cab869559a9182542cc31b07ebcabaeb38e5c155926ac477c28059b9
Instruction ID: 1180c24b88aaf4ef8de56eaaa4c94039f6be587ae18d6f6e23f21005f7fd2c65
Opcode Fuzzy Hash: ccc58e70cab869559a9182542cc31b07ebcabaeb38e5c155926ac477c28059b9
Instruction Fuzzy Hash: 6521F2B8C03308DFD310FF66F048A447BE4BB08745F00505AE508A764EEBB84685CF55

Function 03069DC7 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00019D85), ref: 03069DCC

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 60c37d4e9747d246e3281c60b5f3145002e6df190ba12ae5a58040eae94f9123
Instruction ID: 9762bdb4e51c3d945b781a0c0e77dd4a807dbedb88b4874ce10f90e218f88ba7
Opcode Fuzzy Hash: 60c37d4e9747d246e3281c60b5f3145002e6df190ba12ae5a58040eae94f9123
Instruction Fuzzy Hash: 2F9002B065B6444A960067B15D1D5197A946A8C50674104A4A136C840FEB7441085515

Function 0306952A Relevance: 129.2, APIs: 86, Instructions: 188
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 0306953E

Part of subcall function 03067247: HeapFree.KERNEL32(00000000,00000000,?,03067158,00000000,03071AC0,0306719F,?,?,?,0306720F,03071AC0,?,?,03069FD3,03071AC0), ref: 0306725D
Part of subcall function 03067247: GetLastError.KERNEL32(?,?,03067158,00000000,03071AC0,0306719F,?,?,?,0306720F,03071AC0,?,?,03069FD3,03071AC0), ref: 0306726F

_free.LIBCMT ref: 03069546
_free.LIBCMT ref: 0306954E
_free.LIBCMT ref: 03069556
_free.LIBCMT ref: 0306955E
_free.LIBCMT ref: 03069566
_free.LIBCMT ref: 0306956D
_free.LIBCMT ref: 03069575
_free.LIBCMT ref: 0306957D
_free.LIBCMT ref: 03069585
_free.LIBCMT ref: 0306958D
_free.LIBCMT ref: 03069595
_free.LIBCMT ref: 0306959D
_free.LIBCMT ref: 030695A5
_free.LIBCMT ref: 030695AD
_free.LIBCMT ref: 030695B5
_free.LIBCMT ref: 030695C0
_free.LIBCMT ref: 030695C8
_free.LIBCMT ref: 030695D0
_free.LIBCMT ref: 030695D8
_free.LIBCMT ref: 030695E0
_free.LIBCMT ref: 030695E8
_free.LIBCMT ref: 030695F0
_free.LIBCMT ref: 030695F8
_free.LIBCMT ref: 03069600
_free.LIBCMT ref: 03069608
_free.LIBCMT ref: 03069610
_free.LIBCMT ref: 03069618
_free.LIBCMT ref: 03069620
_free.LIBCMT ref: 03069628
_free.LIBCMT ref: 03069630
_free.LIBCMT ref: 03069638
_free.LIBCMT ref: 03069646
_free.LIBCMT ref: 03069651
_free.LIBCMT ref: 0306965C
_free.LIBCMT ref: 03069667
_free.LIBCMT ref: 03069672
_free.LIBCMT ref: 0306967D
_free.LIBCMT ref: 03069688
_free.LIBCMT ref: 03069693
_free.LIBCMT ref: 0306969E
_free.LIBCMT ref: 030696A9
_free.LIBCMT ref: 030696B4
_free.LIBCMT ref: 030696BF
_free.LIBCMT ref: 030696CA
_free.LIBCMT ref: 030696D5
_free.LIBCMT ref: 030696E0
_free.LIBCMT ref: 030696EB
_free.LIBCMT ref: 030696F9
_free.LIBCMT ref: 03069704
_free.LIBCMT ref: 0306970F
_free.LIBCMT ref: 0306971A
_free.LIBCMT ref: 03069725
_free.LIBCMT ref: 03069730
_free.LIBCMT ref: 0306973B
_free.LIBCMT ref: 03069746
_free.LIBCMT ref: 03069751
_free.LIBCMT ref: 0306975C
_free.LIBCMT ref: 03069767
_free.LIBCMT ref: 03069772
_free.LIBCMT ref: 0306977D
_free.LIBCMT ref: 03069788
_free.LIBCMT ref: 03069793
_free.LIBCMT ref: 0306979E
_free.LIBCMT ref: 030697AC
_free.LIBCMT ref: 030697B7
_free.LIBCMT ref: 030697C2
_free.LIBCMT ref: 030697CD
_free.LIBCMT ref: 030697D8
_free.LIBCMT ref: 030697E3
_free.LIBCMT ref: 030697EE
_free.LIBCMT ref: 030697F9
_free.LIBCMT ref: 03069804
_free.LIBCMT ref: 0306980F
_free.LIBCMT ref: 0306981A
_free.LIBCMT ref: 03069825
_free.LIBCMT ref: 03069830
_free.LIBCMT ref: 0306983B
_free.LIBCMT ref: 03069846
_free.LIBCMT ref: 03069851
_free.LIBCMT ref: 0306985F
_free.LIBCMT ref: 0306986A
_free.LIBCMT ref: 03069875
_free.LIBCMT ref: 03069880
_free.LIBCMT ref: 0306988B
_free.LIBCMT ref: 03069896

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction ID: 707d6c3379387d08951c104e2a4225fa0a6295a4b5cb8eae53cd2ebb20e0c43b
Opcode Fuzzy Hash: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction Fuzzy Hash: 4171D435412B429BD7637B31DD01EEA7AE27F84B08F106924B1FB2873CDA2278659B51

Function 0305EA90 Relevance: 23.1, APIs: 3, Strings: 10, Instructions: 363stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0305EB5B
memset.MSVCRT ref: 0305EF17

Part of subcall function 03064FA0: malloc.MSVCRT ref: 03064FA8
Part of subcall function 03064FA0: strncpy.MSVCRT ref: 03064FC3

strtok_s.MSVCRT ref: 0305EEB9

Strings

password: , xrefs: 0305EE3B
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0305EAE4
<Host>, xrefs: 0305EBBC
<User>, xrefs: 0305EC50
browser: FileZilla, xrefs: 0305ED99
profile: null, xrefs: 0305EDA8
<Pass encoding="base64">, xrefs: 0305EC9A
url: , xrefs: 0305EDB7
login: , xrefs: 0305EE0A
<Port>, xrefs: 0305EC06

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: strtok_s$mallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 2676359353-555421843
Opcode ID: 0ef2b85ea88157ed5d365466420404c8b801cc049c365a6e2e073e1b332aab3d
Instruction ID: f033d66c365bea9b3d38ffb10bd304b39cbe332236f757418c5d199897b52c98
Opcode Fuzzy Hash: 0ef2b85ea88157ed5d365466420404c8b801cc049c365a6e2e073e1b332aab3d
Instruction Fuzzy Hash: 79D14075D122089FCB04FBE4DD59EEEB739BF58600F508418E516AE089EF71AA45CBA0

Function 03055610 Relevance: 11.0, APIs: 2, Strings: 5, Instructions: 493COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 03055B73
memcpy.MSVCRT ref: 03055BAB

Strings

------, xrefs: 030559FC
", xrefs: 03055985
", xrefs: 03055AC6
------, xrefs: 03055746
------, xrefs: 030558BB

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: "$"$------$------$------
API String ID: 3510742995-2180234286
Opcode ID: 7e971f29d5b1f3f820558a358b2f860ec9940e11a845e597d3064604ab26c55e
Instruction ID: 5e832389b071634b8574ac3588abe8c11d80ae432ce70bf5ce96f971855863a7
Opcode Fuzzy Hash: 7e971f29d5b1f3f820558a358b2f860ec9940e11a845e597d3064604ab26c55e
Instruction Fuzzy Hash: 8B12EE7582221CABCB15FBA0DC94FEEB37DBF54700F504199A1066A098EF716B49CFA0

Function 03061650 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 237COMMON

Download Yara Rule

Strings

%s\%s, xrefs: 03061714
%s\%s, xrefs: 030617FD
%s%s, xrefs: 03061838
%s\%s\%s, xrefs: 030617DB
%s\*, xrefs: 0306165D

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 0-2524465048
Opcode ID: 04e9787f8e062a1a04677ca41154a627ae6694e8d58d4d5dfad9630b3f7cd70c
Instruction ID: cd658d27d065ec60fbfa224f88806b22d8b8e598d25539a9a46c8a0379ded1a7
Opcode Fuzzy Hash: 04e9787f8e062a1a04677ca41154a627ae6694e8d58d4d5dfad9630b3f7cd70c
Instruction Fuzzy Hash: 8A9144759113189BDB14EFA5DC88FEE73BCBB88701F048588F51A96148EB749B84CFA1

Function 03063D90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 03063D9E
OpenProcess.KERNEL32(001FFFFF,00000000,03063FCD,0306D28B), ref: 03063DDC
memset.MSVCRT ref: 03063E2A
??_V@YAXPAX@Z.MSVCRT ref: 03063F7E

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 03063E4C

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: OpenProcessmemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 1606381396-4138519520
Opcode ID: ea1e738b42257d2f096706d9148042cad050c5ee14799dcc702f2ab34e01b9b7
Instruction ID: 300abe51a4183d908afef32bc0314830da88ac906663f8bf672a1736984c8693
Opcode Fuzzy Hash: ea1e738b42257d2f096706d9148042cad050c5ee14799dcc702f2ab34e01b9b7
Instruction Fuzzy Hash: B05180B4D013189FDB64EF94DC54BEEB7B8AF44304F1440E8E115661D8DB756A88CFA4

Function 030512D0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 030512E7
memset.MSVCRT ref: 030514D0

Strings

.keys, xrefs: 0305132B
wallet_path, xrefs: 030512F0
SOFTWARE\monero-project\monero-core, xrefs: 030512F5
\Monero\wallet.keys, xrefs: 0305134D

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: memset
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 2221118986-218353709
Opcode ID: e105a642c977131cca586c9506eb8717f84284dd63a5a81c5bcb839d7e53ec2a
Instruction ID: 14c66d120d14dab5de17e0e6654e9bf4cf00646d0932396d461149ef3b68fb07
Opcode Fuzzy Hash: e105a642c977131cca586c9506eb8717f84284dd63a5a81c5bcb839d7e53ec2a
Instruction Fuzzy Hash: C25163B5D512189BCB14FB60DD95FEE733CAF94600F4041D8A60A6A085EF716B88CFE5

Function 03067BA0 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 03067BAE

Part of subcall function 03067641: __mtinitlocknum.LIBCMT ref: 03067657
Part of subcall function 03067641: __amsg_exit.LIBCMT ref: 03067663
Part of subcall function 03067641: EnterCriticalSection.KERNEL32(00000000,00000000,?,03067A49,0000000D,?,?,030673CF,0306726D,?,?,03067158,00000000,03071AC0,0306719F), ref: 0306766B

DecodePointer.KERNEL32(030719C8,00000020,03067CF1,00000000,00000001,00000000,?,03067D13,000000FF,?,03067668,00000011,00000000,?,03067A49,0000000D), ref: 03067BEA
DecodePointer.KERNEL32(?,03067D13,000000FF,?,03067668,00000011,00000000,?,03067A49,0000000D,?,?,030673CF,0306726D), ref: 03067BFB

Part of subcall function 030679C2: EncodePointer.KERNEL32(00000000,030691B2,03073DC8,00000314,00000000,?,?,?,?,?,03067F08,03073DC8,Microsoft Visual C++ Runtime Library,00012010), ref: 030679C4

DecodePointer.KERNEL32(-00000004,?,03067D13,000000FF,?,03067668,00000011,00000000,?,03067A49,0000000D,?,?,030673CF,0306726D), ref: 03067C21
DecodePointer.KERNEL32(?,03067D13,000000FF,?,03067668,00000011,00000000,?,03067A49,0000000D,?,?,030673CF,0306726D), ref: 03067C34
DecodePointer.KERNEL32(?,03067D13,000000FF,?,03067668,00000011,00000000,?,03067A49,0000000D,?,?,030673CF,0306726D), ref: 03067C3E

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: fc118acd422a190b9901a18c749f8ee11f39cc71107da2a7f81f1e889f60496a
Instruction ID: 0bafc804cbe0abfebff08a5804059b6dbe2f6bb039d9b73abed807697bb30add
Opcode Fuzzy Hash: fc118acd422a190b9901a18c749f8ee11f39cc71107da2a7f81f1e889f60496a
Instruction Fuzzy Hash: 46315A74D02309DFDF50EFA9D8846DCBBF4BF48A28F14806EE410A6298CBB58845CF65

Function 03068843 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0306884F

Part of subcall function 03067B2C: __getptd_noexit.LIBCMT ref: 03067B2F
Part of subcall function 03067B2C: __amsg_exit.LIBCMT ref: 03067B3C

__amsg_exit.LIBCMT ref: 0306886F
__lock.LIBCMT ref: 0306887F
InterlockedDecrement.KERNEL32(?), ref: 0306889C
_free.LIBCMT ref: 030688AF
InterlockedIncrement.KERNEL32(03073530), ref: 030688C7

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 01a39a9aaa7d613828974742cdaef765300a249b6eb4615a4cbe40143e4f35dd
Instruction ID: 395038a04151a14d066a5161911594734e1401d3539985e3347e0275bb69ab68
Opcode Fuzzy Hash: 01a39a9aaa7d613828974742cdaef765300a249b6eb4615a4cbe40143e4f35dd
Instruction Fuzzy Hash: E101803AE03711AFE721FB69940479EB7A0BF44B24F189045E810AB68CD738A591DBD5

Function 03063BC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 03063BDF
??_U@YAPAXI@Z.MSVCRT ref: 03063C0D

Part of subcall function 03063890: strlen.MSVCRT ref: 030638A1
Part of subcall function 03063890: strlen.MSVCRT ref: 030638C5

VirtualQueryEx.KERNEL32(03063FCD,00000000,?,0000001C), ref: 03063C52
??_V@YAXPAX@Z.MSVCRT ref: 03063D73

Part of subcall function 03063AA0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 03063AB8

Strings

@, xrefs: 03063C66

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: 49f699717b6b59b97cf5526d595965760645bfc3584b2e411bcb6d7dca84f106
Instruction ID: e80cce4cf585cd6e9662ba57ad08ea85594889643c31a94e21caee2ad66f79a2
Opcode Fuzzy Hash: 49f699717b6b59b97cf5526d595965760645bfc3584b2e411bcb6d7dca84f106
Instruction Fuzzy Hash: 935129B5E05209AFDB04CF98E891AEFB7B5FF88300F048558F915A7258D734AA01CBA1

Function 030685A7 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 030685B3

Part of subcall function 03067B2C: __getptd_noexit.LIBCMT ref: 03067B2F
Part of subcall function 03067B2C: __amsg_exit.LIBCMT ref: 03067B3C

__getptd.LIBCMT ref: 030685CA
__amsg_exit.LIBCMT ref: 030685D8
__lock.LIBCMT ref: 030685E8
__updatetlocinfoEx_nolock.LIBCMT ref: 030685FC

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 50695f7238092ec0127c0930336eb3444ccd9ca70ec6355e6897b34dd0394d84
Instruction ID: 441f9c3b08b62c240fc2fd2a4e68de0a9a09bcc2b4f96cd3508f6a22544f6df5
Opcode Fuzzy Hash: 50695f7238092ec0127c0930336eb3444ccd9ca70ec6355e6897b34dd0394d84
Instruction Fuzzy Hash: ADF0B43AE07700ABD761FB7C980579E77D0AF40B28F148149E554BF2CDCF685640CAAA

Function 03064960 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 030649AF
__aulldiv.LIBCMT ref: 030649BD

Strings

@, xrefs: 0306498A
%d MB, xrefs: 030649E0

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: %d MB$@
API String ID: 3732870572-3474575989
Opcode ID: ef2df6ba90e2aa2935fbe5098f96a0a6d10cdffb3eecbda5c64596dde552dcc5
Instruction ID: 116bcebffca1567f42fd506ab4bb8b77a6a873ff53a449ae42406d813b0d28b0
Opcode Fuzzy Hash: ef2df6ba90e2aa2935fbe5098f96a0a6d10cdffb3eecbda5c64596dde552dcc5
Instruction Fuzzy Hash: A711E5B1E45308ABEB00EFD5DD59FAEB7B8BB44700F104548F714BB284D7B5A9008BA5

Function 030597F0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0305980B
memset.MSVCRT ref: 0305983E

Strings

v10, xrefs: 03059802
@, xrefs: 03059847

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: memcmpmemset
String ID: @$v10
API String ID: 1065087418-24753345
Opcode ID: 584fa597b0a11b8c5e12d2e8bb54494d2278b5f283b555f679d0977c6555d0fd
Instruction ID: 4994647dcf6972dc94a48af3615c99c8ca2b58a038f542c7d53c230c9862773a
Opcode Fuzzy Hash: 584fa597b0a11b8c5e12d2e8bb54494d2278b5f283b555f679d0977c6555d0fd
Instruction Fuzzy Hash: FF410975A0520CEFDB04DF98C855BEEBBB9BF44704F048118F919AF289DB70AA45CB94

Function 03056CA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 03056CE4
task.LIBCPMTD ref: 03056F25

Part of subcall function 03058C20: vsprintf_s.MSVCRT ref: 03058C3B

Strings

Password, xrefs: 03056DD1

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: memsettaskvsprintf_s
String ID: Password
API String ID: 2675463923-3434357891
Opcode ID: d9cae128f8f88b6b2c4b09dcc419d125bfd9aa1a42c595194b2ac4c3aac382c5
Instruction ID: 6e1a1f68865dcbc510d7664f413950be7f0ba0b9d74fca71528c9268a8590f54
Opcode Fuzzy Hash: d9cae128f8f88b6b2c4b09dcc419d125bfd9aa1a42c595194b2ac4c3aac382c5
Instruction Fuzzy Hash: 25610CB590126CDBDB24DB50CC44BDEB7B8BF88700F4085E9EA49AA245DB715BC9CF90

Function 0305FAE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0305FB28
strtok_s.MSVCRT ref: 0305FCB2

Strings

block, xrefs: 0305FAF7

Memory Dump Source

Source File: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, Offset: 03050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID: block
API String ID: 3330995566-2199623458
Opcode ID: b807de8e2fcc7575c5bf2b979009ddcc6bf89e4d7665c950871d714608653f8d
Instruction ID: 9e5581b21237a41fb0ca189f634506ed92294f08207e2229833bbbba3e1eb52a
Opcode Fuzzy Hash: b807de8e2fcc7575c5bf2b979009ddcc6bf89e4d7665c950871d714608653f8d
Instruction Fuzzy Hash: 09513D74A0620AEFDB00DFA1D658BAF7BB9BF44705F148458FC01AB284D779E940CB62

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_326.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
LisectAVT_2403002A_326.exe

Function 030643C0 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Function 03051120 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Function 03065ED0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 212
libraryCOMMON

Function 030511E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Function 030543B0 Relevance: 2.5, APIs: 2, Instructions: 44
memorystringCOMMON

Function 030636B0 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Function 030635E0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 03064400 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON