Windows Analysis Report
LisectAVT_2403002A_101.exe

Overview

General Information

Sample name: LisectAVT_2403002A_101.exe
Analysis ID: 1482524
MD5: 780bd376a8b748d6ac621b4881ea908a
SHA1: bafeee797024d02afcad3eac316cae519ad58aa9
SHA256: 5fe1de0adf99f8dff660c75a7e9f2c1d0720f6694f63a7aa406fc16f8bf498d3
Tags: exe
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_101.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Avira: detection malicious, Label: HEUR/AGEN.1319342
Found malware configuration
Source: 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "107.175.229.139:8087:0", "Assigned name": "RemoteHost", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "jhudguiytgu-AAHEXC", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "yes.png", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Yara detected Remcos RAT
Source: Yara match File source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 7272, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 7432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 4712, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\aka\yes.png, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: LisectAVT_2403002A_101.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 10_2_00433837
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData, 11_2_00404423
Source: unnervously.exe, 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_a2b9494a-e

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 7272, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 7432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 4712, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_004074FD _wcslen,CoGetObject, 10_2_004074FD
Uses 32bit PE files
Source: LisectAVT_2403002A_101.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0010DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0010DBBE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000DC2A2 FindFirstFileExW, 0_2_000DC2A2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_001168EE FindFirstFileW,FindClose, 0_2_001168EE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0011698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_0011698F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0010D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0010D076
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0010D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0010D3A9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00119642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00119642
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0011979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0011979D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00119B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00119B2B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00115C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_00115C97
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_0030DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 9_2_0030DBBE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002DC2A2 FindFirstFileExW, 9_2_002DC2A2
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_003168EE FindFirstFileW,FindClose, 9_2_003168EE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_0031698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 9_2_0031698F
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_0030D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 9_2_0030D076
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_0030D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 9_2_0030D3A9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_00319642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 9_2_00319642
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_0031979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 9_2_0031979D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_00319B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 9_2_00319B2B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_00315C97 FindFirstFileW,FindNextFileW,FindClose, 9_2_00315C97
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 10_2_00409253
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 10_2_0041C291
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 10_2_0040C34D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 10_2_00409665
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0044E879 FindFirstFileExA, 10_2_0044E879
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 10_2_0040880C
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0040783C FindFirstFileW,FindNextFileW, 10_2_0040783C
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 10_2_00419AF5
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 10_2_0040BB30
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 10_2_0040BD37
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 10_2_100010F1
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_10006580 FindFirstFileExA, 10_2_10006580
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002DC2A2 FindFirstFileExW, 11_2_002DC2A2
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_003168EE FindFirstFileW,FindClose, 11_2_003168EE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0031698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 11_2_0031698F
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0030D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_0030D076
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0030D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_0030D3A9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00319642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_00319642
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0031979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_0031979D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00319B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 11_2_00319B2B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0030DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 11_2_0030DBBE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00315C97 FindFirstFileW,FindNextFileW,FindClose, 11_2_00315C97
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0040AE51 FindFirstFileW,FindNextFileW, 11_2_0040AE51
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 10_2_00407C97

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 107.175.229.139
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.9:51052 -> 107.175.229.139:8087
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 107.175.229.139 107.175.229.139
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0011CE44 InternetReadFile,SetEvent,GetLastError,SetEvent, 0_2_0011CE44
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: unnervously.exe, 0000000B.00000003.2775508960.00000000010BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: unnervously.exe, 0000000B.00000003.2775508960.00000000010BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: unnervously.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: unnervously.exe, 0000000A.00000002.3771535783.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: unnervously.exe, 0000000A.00000002.3771535783.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: 183.59.114.20.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: unnervously.exe, 0000000A.00000003.2748718391.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2745450049.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2749423959.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000002.3770114936.00000000010EE000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2746780049.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2745236773.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2748522331.0000000000F79000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/
Source: unnervously.exe, 0000000A.00000002.3770114936.000000000108F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: unnervously.exe, 0000000A.00000002.3768379154.0000000000F28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp#0lV
Source: unnervously.exe, 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, unnervously.exe, 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: unnervously.exe, 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpL
Source: unnervously.exe, 0000000A.00000003.2745236773.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2745450049.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2749423959.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000002.3768379154.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2748522331.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2769382612.000000000153D000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: unnervously.exe, 0000000D.00000002.2769382612.000000000153D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.coma
Source: unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: unnervously.exe, 0000000B.00000002.2777627610.0000000000BEF000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: unnervously.exe, 0000000B.00000003.2763169956.0000000002884000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000B.00000003.2762943053.0000000002881000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000B.00000003.2775508960.00000000010BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: unnervously.exe, 0000000B.00000003.2763169956.0000000002884000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000B.00000003.2762943053.0000000002881000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: unnervously.exe, 0000000B.00000003.2763169956.0000000002884000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000B.00000003.2762943053.0000000002881000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: unnervously.exe, 0000000B.00000003.2775442282.000000000287C000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000B.00000003.2775383892.000000000287C000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000B.00000003.2775996310.000000000287C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_i__q
Source: unnervously.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: unnervously.exe String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000 10_2_0040A2B8
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0011EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0011EAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0011ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0011ED6A
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_0031ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 9_2_0031ED6A
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard, 10_2_004168C1
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0031ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 11_2_0031ED6A
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 11_2_0040987A
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 11_2_004098E2
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0011EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0011EAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0010AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 0_2_0010AA57
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00139576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00139576
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_00339576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 9_2_00339576
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00339576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 11_2_00339576

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 7272, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 7432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 4712, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\aka\yes.png, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0041C9E2 SystemParametersInfoW, 10_2_0041C9E2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: unnervously.exe PID: 7272, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: unnervously.exe PID: 7432, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: unnervously.exe PID: 4712, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Binary is likely a compiled AutoIt script file
Source: LisectAVT_2403002A_101.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: LisectAVT_2403002A_101.exe, 00000000.00000003.2659342224.0000000003881000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_9f91cf56-a
Source: LisectAVT_2403002A_101.exe, 00000000.00000003.2659342224.0000000003881000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_69d6448c-7
Source: LisectAVT_2403002A_101.exe, 00000000.00000000.1306003099.0000000000162000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_f44c028a-e
Source: LisectAVT_2403002A_101.exe, 00000000.00000000.1306003099.0000000000162000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_b0b96847-0
Source: unnervously.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: unnervously.exe, 00000009.00000000.2671586663.0000000000362000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_da948699-6
Source: unnervously.exe, 00000009.00000000.2671586663.0000000000362000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_963b5010-5
Source: unnervously.exe, 0000000A.00000002.3766241558.0000000000362000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_59a8609a-a
Source: unnervously.exe, 0000000A.00000002.3766241558.0000000000362000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_f8b3c3a4-4
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: This is a third-party compiled AutoIt script. 11_2_002A2A32
Source: unnervously.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: unnervously.exe, 0000000B.00000002.2776632635.0000000000362000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_906caa72-9
Source: unnervously.exe, 0000000B.00000002.2776632635.0000000000362000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_baa75ad0-b
Source: unnervously.exe, 0000000C.00000000.2761199777.0000000000362000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_df6847e8-1
Source: unnervously.exe, 0000000C.00000000.2761199777.0000000000362000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_a41e0f83-5
Source: unnervously.exe, 0000000D.00000000.2766871036.0000000000362000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_4af46346-f
Source: unnervously.exe, 0000000D.00000000.2766871036.0000000000362000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_bbea4a01-2
Source: unnervously.exe, 0000000F.00000002.2848724306.0000000000362000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_9809d32c-7
Source: unnervously.exe, 0000000F.00000002.2848724306.0000000000362000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_aeeb6e9e-b
Source: LisectAVT_2403002A_101.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_dab532ca-1
Source: LisectAVT_2403002A_101.exe String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_44ff335c-5
Source: unnervously.exe.0.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_0c5a28cd-d
Source: unnervously.exe.0.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_cc3ba537-c
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Process Stats: CPU usage > 49%
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 10_2_004180EF
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, 10_2_004132D2
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0041D58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 10_2_0041D58F
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle, 10_2_0041BB09
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle, 10_2_0041BB35
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 11_2_0040DD85
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00401806 NtdllDefWindowProc_W, 11_2_00401806
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_004018C0 NtdllDefWindowProc_W, 11_2_004018C0
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0010D5EB: CreateFileW,DeviceIoControl,CloseHandle, 0_2_0010D5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00101201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00101201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0010E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_0010E8F6
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_0030E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 9_2_0030E8F6
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 10_2_004167B4
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0030E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 11_2_0030E8F6
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00112046 0_2_00112046
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000A8060 0_2_000A8060
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00108298 0_2_00108298
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000DE4FF 0_2_000DE4FF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000D676B 0_2_000D676B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00134873 0_2_00134873
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000CCAA0 0_2_000CCAA0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000ACAF0 0_2_000ACAF0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000BCC39 0_2_000BCC39
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000D6DD9 0_2_000D6DD9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000BB119 0_2_000BB119
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000A91C0 0_2_000A91C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000C1394 0_2_000C1394
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000C1706 0_2_000C1706
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000C781B 0_2_000C781B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000A7920 0_2_000A7920
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000B997D 0_2_000B997D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000C19B0 0_2_000C19B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000C7A4A 0_2_000C7A4A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000C1C77 0_2_000C1C77
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000C7CA7 0_2_000C7CA7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0012BE44 0_2_0012BE44
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000D9EEE 0_2_000D9EEE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000C1F32 0_2_000C1F32
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00E437A0 0_2_00E437A0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002A8060 9_2_002A8060
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_00312046 9_2_00312046
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_00308298 9_2_00308298
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002DE4FF 9_2_002DE4FF
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002D676B 9_2_002D676B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_00334873 9_2_00334873
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002CCAA0 9_2_002CCAA0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002ACAF0 9_2_002ACAF0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002BCC39 9_2_002BCC39
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002D6DD9 9_2_002D6DD9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002BD064 9_2_002BD064
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002BB119 9_2_002BB119
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002A91C0 9_2_002A91C0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002C1394 9_2_002C1394
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002C1706 9_2_002C1706
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002C781B 9_2_002C781B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002A7920 9_2_002A7920
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002B997D 9_2_002B997D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002C19B0 9_2_002C19B0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002C7A4A 9_2_002C7A4A
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002C1C77 9_2_002C1C77
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002C7CA7 9_2_002C7CA7
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_0032BE44 9_2_0032BE44
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002D9EEE 9_2_002D9EEE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002C1F32 9_2_002C1F32
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002ABF40 9_2_002ABF40
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_030337A0 9_2_030337A0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0043E0CC 10_2_0043E0CC
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0041F0FA 10_2_0041F0FA
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00454159 10_2_00454159
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00438168 10_2_00438168
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_004461F0 10_2_004461F0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0043E2FB 10_2_0043E2FB
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0045332B 10_2_0045332B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0042739D 10_2_0042739D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_004374E6 10_2_004374E6
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0043E558 10_2_0043E558
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00438770 10_2_00438770
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_004378FE 10_2_004378FE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00433946 10_2_00433946
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0044D9C9 10_2_0044D9C9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00427A46 10_2_00427A46
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0041DB62 10_2_0041DB62
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00427BAF 10_2_00427BAF
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00437D33 10_2_00437D33
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00435E5E 10_2_00435E5E
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00426E0E 10_2_00426E0E
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0043DE9D 10_2_0043DE9D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00413FCA 10_2_00413FCA
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00436FEA 10_2_00436FEA
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_10017194 10_2_10017194
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_1000B5C1 10_2_1000B5C1
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00EF37A0 10_2_00EF37A0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002A8060 11_2_002A8060
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00312046 11_2_00312046
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00308298 11_2_00308298
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002DE4FF 11_2_002DE4FF
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002D676B 11_2_002D676B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00334873 11_2_00334873
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002CCAA0 11_2_002CCAA0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002ACAF0 11_2_002ACAF0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002BCC39 11_2_002BCC39
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002D6DD9 11_2_002D6DD9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002BAFAC 11_2_002BAFAC
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002BD064 11_2_002BD064
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002A91C0 11_2_002A91C0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002C1394 11_2_002C1394
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002C1706 11_2_002C1706
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002C781B 11_2_002C781B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002A7920 11_2_002A7920
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002B997D 11_2_002B997D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002C19B0 11_2_002C19B0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002C7A4A 11_2_002C7A4A
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002C1C77 11_2_002C1C77
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002C7CA7 11_2_002C7CA7
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0032BE44 11_2_0032BE44
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002D9EEE 11_2_002D9EEE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002C1F32 11_2_002C1F32
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002ABF40 11_2_002ABF40
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0043610D 11_2_0043610D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0044A490 11_2_0044A490
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0043C560 11_2_0043C560
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0044081D 11_2_0044081D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00414957 11_2_00414957
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0044AA80 11_2_0044AA80
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00412AA9 11_2_00412AA9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00404B74 11_2_00404B74
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00404B03 11_2_00404B03
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00404BE5 11_2_00404BE5
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00404C76 11_2_00404C76
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00416D72 11_2_00416D72
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00446D30 11_2_00446D30
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00446D8B 11_2_00446D8B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00406E8F 11_2_00406E8F
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0044B040 11_2_0044B040
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00447310 11_2_00447310
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0040755A 11_2_0040755A
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0044B610 11_2_0044B610
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0044D6C0 11_2_0044D6C0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_004476F0 11_2_004476F0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0044B870 11_2_0044B870
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_004079EE 11_2_004079EE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00407AEB 11_2_00407AEB
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0044BBD8 11_2_0044BBD8
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00415CFE 11_2_00415CFE
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: String function: 000A9CB3 appears 31 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: String function: 000BF9F2 appears 40 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: String function: 000C4963 appears 31 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: String function: 000C0A30 appears 46 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 00434E10 appears 54 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 00434770 appears 41 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 002E1F50 appears 53 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 002A988F appears 33 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 002A600E appears 34 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 002C0A30 appears 92 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 002C4963 appears 64 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 002D2FA6 appears 48 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 002BF9F2 appears 81 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 00401E65 appears 34 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 002C4A28 appears 42 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 002C8E0B appears 36 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 002A9CB3 appears 62 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: String function: 00416760 appears 69 times
Uses 32bit PE files
Source: LisectAVT_2403002A_101.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: unnervously.exe PID: 7272, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: unnervously.exe PID: 7432, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: unnervously.exe PID: 4712, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@14/16@3/2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_001137B5 GetLastError,FormatMessageW, 0_2_001137B5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_001010BF AdjustTokenPrivileges,CloseHandle, 0_2_001010BF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_001016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_001016C3
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_003010BF AdjustTokenPrivileges,CloseHandle, 9_2_003010BF
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_003016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 9_2_003016C3
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 10_2_00417952
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_003010BF AdjustTokenPrivileges,CloseHandle, 11_2_003010BF
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_003016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 11_2_003016C3
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_001151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_001151CD
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0012A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_0012A67C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0011648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0011648E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000A42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_000A42A2
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 10_2_0041AA4A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe File created: C:\Users\user\AppData\Local\Wausaukee Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Mutant created: \Sessions\1\BaseNamedObjects\jhudguiytgu-AAHEXC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe File created: C:\Users\user\AppData\Local\Temp\autB22F.tmp Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs"
Source: LisectAVT_2403002A_101.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unnervously.exe, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: unnervously.exe, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, unnervously.exe, 0000000C.00000002.2762474357.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: unnervously.exe, 0000000A.00000002.3771535783.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: unnervously.exe, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: unnervously.exe, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: unnervously.exe, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: unnervously.exe, 0000000B.00000002.2778318069.0000000002E60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: unnervously.exe, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe File read: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe "C:\Users\user\Desktop\LisectAVT_2403002A_101.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe "C:\Users\user\Desktop\LisectAVT_2403002A_101.exe"
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe "C:\Users\user\AppData\Local\Wausaukee\unnervously.exe"
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\zhxznlyhhoxqew"
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\kcdsoejjvwpvgchse"
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\meicpwucjehhjidwwwibd"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe "C:\Users\user\AppData\Local\Wausaukee\unnervously.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe "C:\Users\user\Desktop\LisectAVT_2403002A_101.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe "C:\Users\user\AppData\Local\Wausaukee\unnervously.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\zhxznlyhhoxqew" Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\kcdsoejjvwpvgchse" Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\meicpwucjehhjidwwwibd" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe "C:\Users\user\AppData\Local\Wausaukee\unnervously.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: LisectAVT_2403002A_101.exe Static file information: File size 1400329 > 1048576
Source: LisectAVT_2403002A_101.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LisectAVT_2403002A_101.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LisectAVT_2403002A_101.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LisectAVT_2403002A_101.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LisectAVT_2403002A_101.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LisectAVT_2403002A_101.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: LisectAVT_2403002A_101.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LisectAVT_2403002A_101.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LisectAVT_2403002A_101.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LisectAVT_2403002A_101.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LisectAVT_2403002A_101.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LisectAVT_2403002A_101.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_000A42DE
PE file contains an invalid checksum
Source: LisectAVT_2403002A_101.exe Static PE information: real checksum: 0x15d197 should be: 0x15d1a0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000C0A76 push ecx; ret 0_2_000C0A89
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002C0A76 push ecx; ret 9_2_002C0A89
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00457106 push ecx; ret 10_2_00457119
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0045B11A push esp; ret 10_2_0045B141
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0045E54D push esi; ret 10_2_0045E556
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00457A28 push eax; ret 10_2_00457A46
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00434E56 push ecx; ret 10_2_00434E69
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_10002806 push ecx; ret 10_2_10002819
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002C0A76 push ecx; ret 11_2_002C0A89
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0044693D push ecx; ret 11_2_0044694D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0044DB70 push eax; ret 11_2_0044DB84
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0044DB70 push eax; ret 11_2_0044DBAC
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00451D54 push eax; ret 11_2_00451D61
Contains functionality to download and launch executables
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00406EB0 ShellExecuteW,URLDownloadToFileW, 10_2_00406EB0
Drops PE files
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe File created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 10_2_0041AA4A
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_000BF98E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00131C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00131C41
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 9_2_002BF98E
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_00331C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 9_2_00331C41
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 11_2_002BF98E
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00331C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 11_2_00331C41
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 10_2_0041CB50
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0040F7A7 Sleep,ExitProcess, 10_2_0040F7A7
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 11_2_0040DD85
Contains functionality to enumerate running services
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 10_2_0041A748
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Window / User API: threadDelayed 3044 Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Window / User API: threadDelayed 6452 Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Window / User API: foregroundWindowGot 1765 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe API coverage: 4.1 %
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe API coverage: 4.0 %
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe API coverage: 5.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe TID: 7468 Thread sleep count: 246 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe TID: 7468 Thread sleep time: -123000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe TID: 7464 Thread sleep count: 3044 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe TID: 7464 Thread sleep time: -9132000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe TID: 7464 Thread sleep count: 6452 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe TID: 7464 Thread sleep time: -19356000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0010DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0010DBBE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000DC2A2 FindFirstFileExW, 0_2_000DC2A2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_001168EE FindFirstFileW,FindClose, 0_2_001168EE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0011698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_0011698F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0010D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0010D076
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0010D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0010D3A9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00119642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00119642
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0011979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0011979D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00119B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00119B2B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00115C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_00115C97
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_0030DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 9_2_0030DBBE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002DC2A2 FindFirstFileExW, 9_2_002DC2A2
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_003168EE FindFirstFileW,FindClose, 9_2_003168EE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_0031698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 9_2_0031698F
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_0030D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 9_2_0030D076
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_0030D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 9_2_0030D3A9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_00319642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 9_2_00319642
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_0031979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 9_2_0031979D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_00319B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 9_2_00319B2B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_00315C97 FindFirstFileW,FindNextFileW,FindClose, 9_2_00315C97
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 10_2_00409253
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 10_2_0041C291
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 10_2_0040C34D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 10_2_00409665
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0044E879 FindFirstFileExA, 10_2_0044E879
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 10_2_0040880C
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0040783C FindFirstFileW,FindNextFileW, 10_2_0040783C
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 10_2_00419AF5
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 10_2_0040BB30
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 10_2_0040BD37
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 10_2_100010F1
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_10006580 FindFirstFileExA, 10_2_10006580
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002DC2A2 FindFirstFileExW, 11_2_002DC2A2
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_003168EE FindFirstFileW,FindClose, 11_2_003168EE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0031698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 11_2_0031698F
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0030D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_0030D076
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0030D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_0030D3A9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00319642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_00319642
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0031979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_0031979D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00319B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 11_2_00319B2B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0030DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 11_2_0030DBBE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_00315C97 FindFirstFileW,FindNextFileW,FindClose, 11_2_00315C97
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0040AE51 FindFirstFileW,FindNextFileW, 11_2_0040AE51
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 10_2_00407C97
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_000A42DE
Source: LisectAVT_2403002A_101.exe, 00000000.00000003.1307363088.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_101.exe, 00000000.00000002.2673495527.0000000003740000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 00000009.00000003.2673216740.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2703523765.00000000010AB000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000F.00000003.2823710378.00000000017B1000.00000004.00000020.00020000.00000000.sdmp, anaboly.0.dr Binary or memory string: tvroz}k;R:S"$ 1$/96]7X735*90$-H MGBGYMEsO!W:KILSGL[S9P?OJOQEMU]7^0@E@^JBU]0Y7wsujypdm
Source: unnervously.exe, 0000000A.00000003.2745326082.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2777998984.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000002.3769568767.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2746989710.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2746780049.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2748522331.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: unnervously.exe, 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWHT
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0011EAA2 BlockInput, 0_2_0011EAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000D2622
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 11_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_000A42DE
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000C4CE8 mov eax, dword ptr fs:[00000030h] 0_2_000C4CE8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00E43690 mov eax, dword ptr fs:[00000030h] 0_2_00E43690
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00E43630 mov eax, dword ptr fs:[00000030h] 0_2_00E43630
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00E41EFE mov eax, dword ptr fs:[00000030h] 0_2_00E41EFE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00E41F10 mov eax, dword ptr fs:[00000030h] 0_2_00E41F10
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002C4CE8 mov eax, dword ptr fs:[00000030h] 9_2_002C4CE8
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_03033630 mov eax, dword ptr fs:[00000030h] 9_2_03033630
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_03033690 mov eax, dword ptr fs:[00000030h] 9_2_03033690
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_03031F10 mov eax, dword ptr fs:[00000030h] 9_2_03031F10
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_03031EFE mov eax, dword ptr fs:[00000030h] 9_2_03031EFE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_004432B5 mov eax, dword ptr fs:[00000030h] 10_2_004432B5
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_10004AB4 mov eax, dword ptr fs:[00000030h] 10_2_10004AB4
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00EF3690 mov eax, dword ptr fs:[00000030h] 10_2_00EF3690
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00EF3630 mov eax, dword ptr fs:[00000030h] 10_2_00EF3630
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00EF1EFE mov eax, dword ptr fs:[00000030h] 10_2_00EF1EFE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00EF1F10 mov eax, dword ptr fs:[00000030h] 10_2_00EF1F10
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002C4CE8 mov eax, dword ptr fs:[00000030h] 11_2_002C4CE8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00100B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00100B62
Enables debug privileges
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000D2622
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000C083F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000C09D5 SetUnhandledExceptionFilter, 0_2_000C09D5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_000C0C21
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_002D2622
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_002C083F
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002C09D5 SetUnhandledExceptionFilter, 9_2_002C09D5
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_002C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_002C0C21
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_004349F9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00434B47 SetUnhandledExceptionFilter, 10_2_00434B47
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_0043BB22
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_00434FDC
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_100060E2
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_10002639
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_10002B1C
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_002D2622
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_002C083F
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002C09D5 SetUnhandledExceptionFilter, 11_2_002C09D5
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 11_2_002C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_002C0C21

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 10_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 10_2_004180EF
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: NULL target: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: NULL target: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Section loaded: NULL target: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe protection: execute and read and write Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 10_2_004120F7
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00101201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00101201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000E2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_000E2BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_0010B226 SendInput,keybd_event, 0_2_0010B226
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_001222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 0_2_001222DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\zhxznlyhhoxqew" Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\kcdsoejjvwpvgchse" Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\meicpwucjehhjidwwwibd" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe "C:\Users\user\AppData\Local\Wausaukee\unnervously.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00100B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00100B62
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00101663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00101663
Source: LisectAVT_2403002A_101.exe, unnervously.exe.0.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: unnervously.exe, 0000000A.00000002.3768379154.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000002.3770114936.000000000108F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: unnervously.exe Binary or memory string: Shell_TrayWnd
Source: unnervously.exe, 0000000A.00000002.3768379154.0000000000F79000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerles\*
Source: unnervously.exe, 0000000A.00000002.3768379154.0000000000F79000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager103
Source: unnervously.exe, 0000000A.00000002.3768379154.0000000000F79000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerr|
Source: unnervously.exe, 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager9.139:8087
Source: unnervously.exe, 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program ManagerD
Source: unnervously.exe, 0000000A.00000002.3768379154.0000000000F79000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerles\*yQ:W
Source: unnervously.exe, 0000000A.00000002.3768379154.0000000000F79000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager103125\QYW
Source: unnervously.exe, 0000000A.00000002.3770114936.000000000108F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager\a]^
Source: unnervously.exe, 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: unnervously.exe, 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000C0698 cpuid 0_2_000C0698
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: EnumSystemLocalesW, 10_2_00452036
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 10_2_004520C3
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: GetLocaleInfoW, 10_2_00452313
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: EnumSystemLocalesW, 10_2_00448404
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 10_2_0045243C
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: GetLocaleInfoW, 10_2_00452543
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 10_2_00452610
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: GetLocaleInfoA, 10_2_0040F8D1
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: GetLocaleInfoW, 10_2_004488ED
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 10_2_00451CD8
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: EnumSystemLocalesW, 10_2_00451F50
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: EnumSystemLocalesW, 10_2_00451F9B
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00118195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW, 0_2_00118195
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000FD27A GetUserNameW, 0_2_000FD27A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000DB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_000DB952
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_000A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_000A42DE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 7272, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 7432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 4712, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\aka\yes.png, type: DROPPED
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 10_2_0040BA12
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 10_2_0040BB30
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: \key3.db 10_2_0040BB30
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 7432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 1096, type: MEMORYSTR
OS version to string mapping found (often used in BOTs)
Source: unnervously.exe Binary or memory string: WIN_81
Source: unnervously.exe Binary or memory string: WIN_XP
Source: unnervously.exe.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: unnervously.exe Binary or memory string: WIN_XPe
Source: unnervously.exe Binary or memory string: WIN_VISTA
Source: unnervously.exe Binary or memory string: WIN_7
Source: unnervously.exe Binary or memory string: WIN_8

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 7272, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 7432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: unnervously.exe PID: 4712, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\aka\yes.png, type: DROPPED
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: cmd.exe 10_2_0040569A
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00121204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 0_2_00121204
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe Code function: 0_2_00121806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00121806
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_00321204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 9_2_00321204
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe Code function: 9_2_00321806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 9_2_00321806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482524 Sample: LisectAVT_2403002A_101.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 39 206.23.85.13.in-addr.arpa 2->39 41 183.59.114.20.in-addr.arpa 2->41 43 geoplugin.net 2->43 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus / Scanner detection for submitted sample 2->61 63 9 other signatures 2->63 9 LisectAVT_2403002A_101.exe 6 2->9         started        13 wscript.exe 1 2->13         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\unnervously.exe, PE32 9->35 dropped 69 Binary is likely a compiled AutoIt script file 9->69 71 Found API chain indicative of sandbox detection 9->71 15 unnervously.exe 3 9->15         started        73 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->73 19 unnervously.exe 2 13->19         started        signatures6 process7 file8 37 C:\Users\user\AppData\...\unnervously.vbs, data 15->37 dropped 49 Antivirus detection for dropped file 15->49 51 Contains functionality to bypass UAC (CMSTPLUA) 15->51 53 Binary is likely a compiled AutoIt script file 15->53 55 8 other signatures 15->55 21 unnervously.exe 3 17 15->21         started        signatures9 process10 dnsIp11 45 107.175.229.139, 51052, 51053, 8087 AS-COLOCROSSINGUS United States 21->45 47 geoplugin.net 178.237.33.50, 51054, 80 ATOM86-ASATOM86NL Netherlands 21->47 33 C:\Users\user\AppData\Roaming\aka\yes.png, data 21->33 dropped 65 Binary is likely a compiled AutoIt script file 21->65 67 Maps a DLL or memory area into another process 21->67 26 unnervously.exe 1 21->26         started        29 unnervously.exe 1 21->29         started        31 unnervously.exe 2 21->31         started        file12 signatures13 process14 signatures15 75 Binary is likely a compiled AutoIt script file 26->75 77 Tries to steal Instant Messenger accounts or passwords 26->77 79 Tries to steal Mail credentials (via file / registry access) 26->79 81 Tries to harvest and steal browser information (history, passwords, etc) 29->81
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
107.175.229.139
 unknown United States
36352 AS-COLOCROSSINGUS true
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
geoplugin.net 178.237.33.50 true
183.59.114.20.in-addr.arpa unknown unknown
206.23.85.13.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://geoplugin.net/json.gp false
  • URL Reputation: safe
 unknown
107.175.229.139 true
  • Avira URL Cloud: safe
 unknown