Windows Analysis Report
LisectAVT_2403002A_20.exe

Overview

General Information

Sample name: LisectAVT_2403002A_20.exe
Analysis ID: 1482427
MD5: c4d3655d5c8b473292c064ea6392e59e
SHA1: 7dff8774fabb5e6ef3a9a695d89e8c369d2cd6f4
SHA256: b3a927c1fdd44c0c8f0c819cb62ca6e0fa8362b9fb7d5baa10cd5348e4a20bde
Tags: exe
Infos:

Detection

Mars Stealer, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Mars stealer
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_20.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.172.128.26/f993692117a3fda2.php Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000003.2017654737.0000000002290000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.26/f993692117a3fda2.php"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Sample uses string decryption to hide its real strings
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: CtIvEWInDoW
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: AgEBOxw
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ""
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: jjnnllllddbbffbbxxxxxx~~rrvvttttLLJJNNJJ@@@@@@FFZZ^^\\\\TTRRVVRR
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: pppppppppppp|||| ,,,,4444<<<<88888888
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: <<::>>::00000066**..,,,,$$""&&""
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: llllttttdddd||||||||ddddttttllllLLLLTTTTDDDD\\\\\\\\DDDDTTTTLLLL,,,,4444$$$$<<<<<<<<$$$$4444,,,,llllttttdddd||||||||ddddttttllllLLLLTTTTDDDD\\\\\\\\DDDDTTTTLLLL
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: hhhhhhhh(((((((?66::>>::66**..**-/-SUWUS]_]SUWUSmomsuwuDDDDLLLLDDDD||||DDDDLLL{}}{egekmomkege[]_][%'226622>79;9?9;97
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: lllltttt||||tt~~ppppbb^^""&&""..""&&""LLLL4444<<<<4444LL>>::FFJJNNJJFFZZ^^((((XXXXXXXXhhhhhhjjnnjjvvzz~~zz||||
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 4444<<>>888822..$$$$dd^^ZZffjjnnPPPPppppppJJFFzz~~zz||||DDDDLLvvrrNNRRVVhhhhXXXXXXbb
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: tttt||||||||ttttddddllllllllddddTTTT\\\\\\\\TTTTDDDDLLLLLLLLDDDD
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 6-/-+575;=?= ;575+-/-+
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: <<<<4444
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ((((((((888888=?=26622..Y[Y_Y[Ygikioikigy{yyLLLDDDD||||DDDDLLLLDDsqwqsqoQSQWQSQ_QSQWQSf
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: xxxxxxxhhhhhhhh0000000000000$$$<<<<$$$$,,,,$$$$
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ~tuvwxy~~txyz{|}~t
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ?9EFGHIJK
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: O66::deZ[\=?=c>>::66p+)/]^_`abcdeZ[\]^_`abcdeZ[\]^_`abcdeZ[\]^_`abcdeZ[\]^_`abcdeZ[\]^_`abcdeZ[\]^_`abcdeZ[\]^_`abcdeZ[\]^_`abcdeZ[\]^_`abcdeZ[\]^_acagacRRVVRRnnrrvvOMKEGEACAGAC'rrvvrrNNRRVV4omkegev-#%61
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ijklmnopqrs!"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: %'#$%&'()**..**012345679;9ttrstuvwxyjm
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: .26:6::>2>>226:&&**.".."ikSQacaoacJM
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: []_][EGEKMIKOARU
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: /#%33
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ~~~tuvwxyz|}
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: tuvwx9;9?}@AB
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: JKLMNOXYZ[`abcde<<444<44nopqrsZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXXRRVVRZVVLLDDDvzz$%&'()pppppxhh234567bbf-/%+-uvwxyk5
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: abcdefghijklmnopqrs!"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: (((((((()*+-/-+575;=?=;575pqrsuwus}lg
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 26622>>226Y[Y_WQSQ_QBE
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: WIZ]stuvRxzC123]5[/
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ~tuvwxyz{|}
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: tuvwxyz~z{|tuvwxyz
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ?9EFGHIJK
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: OPQRSZ_`abc>>::66jklmn5+-/-_Z[\]^_Z[\]^_Z[\]^_Z[\]^_Z[\]^_Z[\]^_Z[\]^_Z[\]^_Z[\]^_Z[\]^_Z[\]^_Z[\]^_\\TTTTKIOIKI!xxxxxx()*+,wusmom34567bbf-/-stuvw""72
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: hiqrnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsomkuwu{fbb~~bby{ygiki!"NJJVVZZ*+ACA_ACA34XXXHHHqrko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: *.6:26622>>2:>>::&&**.&**.egekmoWUikx{
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: WY[Y_Y[YWIZ]stuvWWIK+/
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ,m
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: t6+q1
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: Zxyz
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: cvapbuqvabs{wb
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: uuawftrr
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: s
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: tuvwtuvtuv|}tuvw
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 3-QRSTUVW
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: abcdefghijklmnopqrs!"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: "&&""..""&&"">>""&&"".."ikIKSUWUS]_]SUFA
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 567D9+/
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: Nl32dll
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: %s\%V\%s
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ~tuvwxyz{|}
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: tuvwxyz{|}tuvz{|}tuvwx
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: i000000deqrjklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijkllllttttcagacaacag~rrvLLLTTTT()CAGACA_ACAG56^RRVwx
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: *..*%&'((((((((8888888789:qsqwqsqqs`c
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: :>>::&&**._ACAGACAOARU
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: }567y9n/
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: &+8,?E
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: +-n 1,"U4-ic$
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 91ra137F&es
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: r.*
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: Y+MerJ5ZFml
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: _
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: I*VE4k
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ~tuvwx~~tuvwxz{|tuvwx
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: |=AB@AB
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: G..226622>>22lmnoZ?o**..^_`abcdefghijklmnoZ[\]^_`abcdefghijklmnoZ[\]^_`abcdefghijklmnoZ[\]^_`abcdefghijklmnoZ[\]^_`abcdefghijklmnoZ[\]^_`abcdefghijklmnoXXXXXXhhhhhhhhxxxxxxxxCA}}{EGEKMOMKEGE[]_][5llddd/
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: qrs!"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: &**..**&&::9;9<<<444/ffjjnTTT\\MH
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: [EGEKM^Ywxyzb2/
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: OPQRSTUVWXYZ[\]^_`abcefgs
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: $#!'!#&**..-/-+50000075;=?qsqwqttt||jm
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 4445753=?=:>>::&&#!'!#!/((cegecdddll}x
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: >2WY[Y_Y[PPPAD
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: CEGJEKMONSV
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 456789+/
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: '--- '
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ~tuvwxyz{|}
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ~tuvwxyz{|}
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: xyz|}z{z{|}x
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: @@@@DT#7!WI]G\SO6'I@43@@st@@C@@@CD!"GHrKL/BOPdcmaeinhP!01efm;--0G<&2TSRuvG-20`uk`ry89+/
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: Ip!-n`E=
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: B24Yw0
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 2
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ;
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ~MJTu`Y
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: @W4t$krM
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: dle
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 6|`s
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: VQPUUkkTK
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: {}snzhNS\
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 6z
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: Z(3Y
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: WN1CBQ
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: K{{jh
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: tU
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: a@"O@|*
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: r}~mLT,/?Z
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 7*yN
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: tn
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: oA|
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: a
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: xZ~Mi
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 4V<!;bjw3%V.?3p
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: npllX#
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: |a
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: z7-i)G
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: y
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: LXX?v{qazkspaw
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: sLCO%DOaHJE&
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: d;y<>MTQK-\
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: nnbyrvjm{nmjrr
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ?
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ";H6)4
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: fHFQp
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: HeapFree
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: rb{dwy
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 2a}
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !=`O
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: pd|rfbYU
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 8{dygt:}{W7N
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: [\-
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 7.(fU5c%RclK
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: {s0R5OgcWOD
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: gC~rog`vvoC
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: pv
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: }Hv
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: GetLocaleInfoA
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: j}b`dxjkd
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: l*dx%y
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: do;Pe;D>
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: eQw<$|3
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: WueFEGc
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: U{Vhvtim\v
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: S#S3
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: cVJA!r4zU
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: <d(*
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: io$q
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: } {rbRGY
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: leA
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ^{qwh_
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: w|e
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: `|o
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: d{dpa9GA3|}FVD4
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: s@`iPjJ(3 epx9ML
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 78OW5jyNoFC
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: !)1
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 4\col^ivHYr
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: nh1"
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: tq}8Tyvpqe~N
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: -yJ+$pzq`-ho+
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: wd
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: _uvaf
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ntProcessId
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: r
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 4632FD
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: .Usi
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: t
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: wininet.dr
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: shlwapi.dvz
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: shell32.d
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: &jZB3
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: .dll
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: t5N zFuD
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: asfwrdf^gzP4
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ]^(;cLAn;>
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: q0`
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: wcoejdh
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: l
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: mF0
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: .rdM8A1
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: BxHp*gwTnwqs
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: S
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ayDy
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: }Tuh1
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: m
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: P #9"ccIgfue@k35-&
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 1hee
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: P^;nu!D$%+
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ggoizb`p
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: Mor
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: eoS^Rs
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: VZBzQq{0QFa
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: w{
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: wTFL;rg?ab
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 5ko{88F
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: vjE
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: eJLN3gy`
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 1obz}#lC
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: Vec
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ?)6:f{ $IWB;euL
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: #zvjmuCkS2}wq
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: Rrq3
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: uX
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: djiCusEv
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: jJ'
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: zxt
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: `5#nwlw5`
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ?Yn
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: n
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ihsbu
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ?*t}z.O
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: column_text
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: }{_Pzj
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: rr7ZmP
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ~7*9?%g5
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: J4FXuHFP6
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ih\w
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: `}~o{
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: lob
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: aimkcZfk
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: e8ytWu3]259
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ~sSZapEw
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 6
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: up7[5F8@B7;'e
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: xm|nxymr~`~ojs|}~
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: gbzzpeqdx{qfe
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: :$voz]afv6$x
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: dns
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: RTSB49
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: T'&
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: logintg
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 04bsB
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: nvH(
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: Wk
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: CtIvEWInDoW
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: AgEBOxw
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ijklmnopqrs
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: /#%33@@@
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: abcdefghijklmnopqrs
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: @@@@<@@@
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: abcdefghijklmnopqrs
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/|
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: %s\%V/yVs
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: %s\*.
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: }567y9n/S
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ntTekeny
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ging
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: PassMord0
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: J@@@`z`@J@@@J@@@
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: OPQRSTUVWXY
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: 456753+/---- '
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: '--- '
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: K{{jhX
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: npllX#
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: HeapFree
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: GetLocaleInfoA
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: ntProcessId
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: .Usi
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: wininet.dll
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: shlwapi.dll
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: shell32.dll
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: .dll
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: column_text
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack String decryptor: login:

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Unpacked PE file: 0.2.LisectAVT_2403002A_20.exe.400000.0.unpack
Uses 32bit PE files
Source: LisectAVT_2403002A_20.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.172.128.26/f993692117a3fda2.php
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2193515267.00000000008A3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: String function: 004043B0 appears 316 times
One or more processes crash
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 456
Uses 32bit PE files
Source: LisectAVT_2403002A_20.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.2193515267.00000000008A3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.evad.winEXE@2/5@0/0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_008A4346 CreateToolhelp32Snapshot,Module32First, 0_2_008A4346
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5264
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4c9d13fc-3620-46a0-aed7-b76d5115d46b Jump to behavior
Source: LisectAVT_2403002A_20.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe "C:\Users\user\Desktop\LisectAVT_2403002A_20.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 456
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Unpacked PE file: 0.2.LisectAVT_2403002A_20.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Unpacked PE file: 0.2.LisectAVT_2403002A_20.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_00415ED0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00415ED0
PE file contains an invalid checksum
Source: LisectAVT_2403002A_20.exe Static PE information: real checksum: 0x3c08f should be: 0x3c093
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_004176C5 push ecx; ret 0_2_004176D8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_008AC443 pushad ; retf C3E8h 0_2_008AC46B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_0227792C push ecx; ret 0_2_0227793F
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_00415ED0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00415ED0
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe API coverage: 5.0 %
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_00401120 GetSystemInfo,ExitProcess, 0_2_00401120
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: LisectAVT_2403002A_20.exe, 00000000.00000002.2193378244.000000000088E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417B4E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_00415ED0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00415ED0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_00415DC0 mov eax, dword ptr fs:[00000030h] 0_2_00415DC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_008A3C23 push dword ptr fs:[00000030h] 0_2_008A3C23
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_02276027 mov eax, dword ptr fs:[00000030h] 0_2_02276027
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_0226092B mov eax, dword ptr fs:[00000030h] 0_2_0226092B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_02260D90 mov eax, dword ptr fs:[00000030h] 0_2_02260D90
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_00419DC7 SetUnhandledExceptionFilter, 0_2_00419DC7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417B4E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004173DD
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_02277644 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_02277644
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_0227A02E SetUnhandledExceptionFilter, 0_2_0227A02E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_02277DB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_02277DB5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_004135E0 GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess, 0_2_004135E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe Code function: 0_2_004143C0 GetUserNameA, 0_2_004143C0
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Mars stealer
Source: Yara match File source: 0.3.LisectAVT_2403002A_20.exe.2290000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_20.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_20.exe.2260e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_20.exe.2290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_20.exe.2260e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2017654737.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 0.3.LisectAVT_2403002A_20.exe.2290000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_20.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_20.exe.2260e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_20.exe.2290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_20.exe.2260e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2017654737.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 0.3.LisectAVT_2403002A_20.exe.2290000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_20.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_20.exe.2260e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_20.exe.2290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_20.exe.2260e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2017654737.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 0.3.LisectAVT_2403002A_20.exe.2290000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_20.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_20.exe.2260e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_20.exe.2290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_20.exe.2260e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2017654737.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482427 Sample: LisectAVT_2403002A_20.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 11 Found malware configuration 2->11 13 Malicious sample detected (through community Yara rule) 2->13 15 Antivirus detection for URL or domain 2->15 17 6 other signatures 2->17 6 LisectAVT_2403002A_20.exe 2->6         started        process3 signatures4 19 Detected unpacking (changes PE section rights) 6->19 21 Detected unpacking (overwrites its own PE header) 6->21 9 WerFault.exe 19 16 6->9         started        process5
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.172.128.26/f993692117a3fda2.php true
  • Avira URL Cloud: malware
 unknown