Windows Analysis Report
jjjUC5ggb2nQMb1B6SvBkwmT.exe

Overview

General Information

Sample name: jjjUC5ggb2nQMb1B6SvBkwmT.exe
Analysis ID: 1483181
MD5: 9795b9f24e9a98ae78f7cad809ed1e2a
SHA1: d92325ce71ae6bd9af9b74b1cc67f81dbb033020
SHA256: a36a4fce0902ebb99f0a8441b024a03c2f1cd66063c59391257f0f96ea9ee5fb
Tags: exe
Infos:

Detection

PureLog Stealer, RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Drops password protected ZIP file
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Machine Learning detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Found malware configuration
Source: in.exe.5036.11.memstrmin Malware Configuration Extractor: RedLine {"C2 url": "23.94.183.150:5058"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.8% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_0040367D GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 0_2_0040367D
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_004031DC FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 0_2_004031DC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00457978 FindFirstFileW,FindFirstFileW,free, 5_2_00457978
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0045881C free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free, 5_2_0045881C
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\main\extracted Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\main\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 11_2_00E50944
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 11_2_00E50939
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 4x nop then jmp 08A974B2h 11_2_08A97408
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 4x nop then jmp 08A974B2h 11_2_08A97400

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 23.94.183.150:5058
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49706 -> 23.94.183.150:5058
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.183.150
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: in.exe, 0000000B.00000002.2139768224.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: in.exe, 0000000B.00000002.2139768224.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: in.exe, 0000000B.00000002.2139768224.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe String found in binary or memory: http://usbtor.ru/viewtopic.php?t=798)Z
Source: in.exe, 0000000B.00000002.2145079467.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ipKSELSystem.Windows.FormsECT
Source: in.exe, 0000000B.00000002.2145079467.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: in.exe, 0000000B.00000002.2145079467.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: in.exe, 0000000B.00000002.2145079467.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: in.exe, 0000000B.00000002.2145079467.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: in.exe, 0000000B.00000002.2145079467.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: in.exe, 0000000B.00000002.2145079467.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe String found in binary or memory: https://sectigo.com/CPS0
Source: in.exe, 0000000B.00000002.2145079467.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: in.exe, 0000000B.00000002.2145079467.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_00408DBB SetWindowsHookExW 00000002,Function_00008D8D,00000000,00000000 0_2_00408DBB
Drops certificate files (DER)
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File created: C:\Users\user\AppData\Local\Temp\Tmp30F7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File created: C:\Users\user\AppData\Local\Temp\Tmp3107.tmp Jump to dropped file

System Summary
barindex
Drops password protected ZIP file
Source: file.bin.0.dr Zip Entry: encrypted
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_004596AC: free,GetFileInformationByHandle,DeviceIoControl,free,free,memmove,free, 5_2_004596AC
Detected potential crypto function
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_00405BFC 0_2_00405BFC
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_0040B0E0 0_2_0040B0E0
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_0040B0E4 0_2_0040B0E4
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_00419973 0_2_00419973
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_0040A900 0_2_0040A900
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_0040A270 0_2_0040A270
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_0040AC20 0_2_0040AC20
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_00409C20 0_2_00409C20
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_0040D480 0_2_0040D480
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_0040ED00 0_2_0040ED00
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_00409DD0 0_2_00409DD0
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_00419601 0_2_00419601
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_004196DB 0_2_004196DB
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_00418F40 0_2_00418F40
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0047F13E 5_2_0047F13E
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00475458 5_2_00475458
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_004724C0 5_2_004724C0
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_004747AC 5_2_004747AC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00498817 5_2_00498817
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00460DCC 5_2_00460DCC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0045B114 5_2_0045B114
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0045F1B4 5_2_0045F1B4
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0046C278 5_2_0046C278
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00482578 5_2_00482578
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00493528 5_2_00493528
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0048066E 5_2_0048066E
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0047D66C 5_2_0047D66C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0046D858 5_2_0046D858
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0047694C 5_2_0047694C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_004879DC 5_2_004879DC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_004949A5 5_2_004949A5
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_004899B8 5_2_004899B8
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0048FA0C 5_2_0048FA0C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0049DA30 5_2_0049DA30
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00467C68 5_2_00467C68
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0049DC11 5_2_0049DC11
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00468CA8 5_2_00468CA8
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0049DD00 5_2_0049DD00
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00476E08 5_2_00476E08
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0046AF58 5_2_0046AF58
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00458F18 5_2_00458F18
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_00E51228 11_2_00E51228
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_00E51217 11_2_00E51217
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_00E50D68 11_2_00E50D68
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_00E50D78 11_2_00E50D78
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_027A66C8 11_2_027A66C8
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_027A77E5 11_2_027A77E5
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_027A9F88 11_2_027A9F88
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_027A903F 11_2_027A903F
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_027A0420 11_2_027A0420
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_04E74E78 11_2_04E74E78
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_04E748E8 11_2_04E748E8
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_04E7C0A3 11_2_04E7C0A3
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_04E74E68 11_2_04E74E68
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_04E748DB 11_2_04E748DB
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_04E758A8 11_2_04E758A8
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_04E78287 11_2_04E78287
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_04E74329 11_2_04E74329
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_04E74330 11_2_04E74330
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_05100007 11_2_05100007
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_05100040 11_2_05100040
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_05117C68 11_2_05117C68
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_08A9F938 11_2_08A9F938
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_08A9894A 11_2_08A9894A
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_08A98958 11_2_08A98958
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_08A9BB81 11_2_08A9BB81
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_08A9BB90 11_2_08A9BB90
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_08A96328 11_2_08A96328
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_08A96338 11_2_08A96338
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_08A9E308 11_2_08A9E308
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_08A96FE8 11_2_08A96FE8
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_08A96FD8 11_2_08A96FD8
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_08A93F60 11_2_08A93F60
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_08A9CF70 11_2_08A9CF70
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_08A93F50 11_2_08A93F50
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\main\7z.dll 34AD9BB80FE8BF28171E671228EB5B64A55CAA388C31CB8C0DF77C0136735891
Enables security privileges
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: String function: 004029A6 appears 44 times
PE / OLE file has an invalid certificate
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000003.1998794706.00000000027D0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000003.1998794706.00000000027D0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: XFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000003.1998794706.00000000027D0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.dll, vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000003.1998563092.0000000006A10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.exe, vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000003.1998563092.0000000006A10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000003.1998563092.0000000006A10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: XFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000003.1998563092.0000000006A10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.dll, vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000002.3222046683.0000000000423000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameStatPlus6.exe0 vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000003.2003623399.0000000002550000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.exe, vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe Binary or memory string: OriginalFilenameStatPlus6.exe0 vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Uses 32bit PE files
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: in.exe.9.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: in.exe.9.dr, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: in.exe.9.dr, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: in.exe.9.dr, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: in.exe.9.dr, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@21/22@0/1
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_00409606 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree, 0_2_00409606
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0045AC74 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 5_2_0045AC74
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00461D04 GetCurrentProcess,CloseHandle,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,FindCloseChangeNotification, 5_2_00461D04
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_0040122A GetDiskFreeSpaceExW,SendMessageW, 0_2_0040122A
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_004092C1 GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,GetWindowLongW,GetDlgItem,SetWindowLongW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow, 0_2_004092C1
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_004020BF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress, 0_2_004020BF
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_03
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe File created: C:\Users\user\AppData\Local\Temp\main Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\main\in.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\main\in.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\main\in.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\main\in.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: in.exe, 0000000B.00000002.2139768224.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, in.exe, 0000000B.00000002.2139768224.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, in.exe, 0000000B.00000002.2139768224.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp, in.exe, 0000000B.00000002.2139768224.0000000002D6D000.00000004.00000800.00020000.00000000.sdmp, in.exe, 0000000B.00000002.2139768224.0000000002D57000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe File read: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe "C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe"
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p324051139125346723019431074 -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p324051139125346723019431074 -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe" Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\mode.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\mode.com Section loaded: ureg.dll Jump to behavior
Source: C:\Windows\System32\mode.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: esdsip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Google Chrome.lnk.11.dr LNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe Static file information: File size 3221440 > 1048576

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: in.exe.9.dr, EwV3ECxYhIse1SOarW.cs .Net Code: Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.l5dizeUqZ0(16777436)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.l5dizeUqZ0(16777258)),Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.l5dizeUqZ0(16777301))})
Binary contains a suspicious time stamp
Source: in.exe.9.dr Static PE information: 0x86B99492 [Fri Aug 16 23:38:58 2041 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_00402665 LoadLibraryA,GetProcAddress,GetNativeSystemInfo, 0_2_00402665
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_004192C0 push eax; ret 0_2_004192EE
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0047676A push rcx; ret 5_2_0047676B
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_00E550BD push es; ret 11_2_00E550C4
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_04E7066C push ss; retf 11_2_04E70670
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_04E7BBC8 push esp; iretd 11_2_04E7BBC9
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_05101063 push edx; retf 11_2_05101064
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_06461015 push FFFFFF8Bh; ret 11_2_0646101A
Source: in.exe.9.dr Static PE information: section name: .text entropy: 7.362711891972509
Source: in.exe.9.dr, AesFastEngine.cs High entropy of concatenated method names: 'Shift', 'FFmulX', 'Inv_Mcol', 'SubWord', 'GenerateWorkingKey', 'Init', 'GetBlockSize', 'ProcessBlock', 'Reset', 'UnPackBlock'
Source: in.exe.9.dr, UserExt.cs High entropy of concatenated method names: 'DomainExists', 'PreCheck', 'NMdP6dBfO1y9yPTTP8B', 'BtlJSiBygSArVP8byYT', 'cwdr4PBqWm76X1Ogxmk', 'xred9VBNW4LbnxifewC', 'gMhma0B8osGVhSgiI37', 'iQuLndBU3ZMWkguQXvv', 'fW8giDBFGBjRdaCcHIS', 'iqiYoABwEWA6IFP67Oh'
Source: in.exe.9.dr, Tables8kGcmMultiplier.cs High entropy of concatenated method names: 'Init', 'MultiplyH', 'za2eNGNJbXAumtCuKjH', 'G9wbwnNPgu2BQG4WyDP', 'CsuiZANonfen0rHLVUw', 'I61A4cN3yxqJBkue3WH', 'rHILQwNIxhBAKGBBEbQ', 'p7K6XUNWWSFhEDOBxHX', 'sGYT5aNmLtHSa0ZgerX', 'dwhXjINKiJ8klN8rMMw'
Source: in.exe.9.dr, StringDecrypt.cs High entropy of concatenated method names: 'Xor', 'FromBase64', 'BytesToStringConverted', 'Read', 'Ka3Fj2UkunFubTyvnJ4', 'TLeCP0U7yaFCIiJmdHl', 'XZPBnVUp94Cp8l38WdG', 'lS6pT6UvS8c7PqKQeAO', 'ToAP8JUaWdoSUMoUlkA', 'dmItCsUQYBDWryXBYg9'
Source: in.exe.9.dr, Form1.cs High entropy of concatenated method names: 'Dispose', 'InitializeComponent', 'U1CnBHVq8tbcYFCfkfo', 'sXEZgmVfLKMJUvoo6b4', 'b2l7gWVN8xps47gifdW', 'o1SOOUXzhcAjdQAVrm3', 'OhktNRVyVbitLdJOOuC', 'G12RTAV8hPd41iaH7Sx', 'IVd6fkVUGYTiZ11arAh', 'KkSe07VFmO5nmRCGdNQ'
Source: in.exe.9.dr, FullInfoSender.cs High entropy of concatenated method names: 'Invoker', 'sdfk8h34', 'Visible', 'asdk9y3', 'kadsoji83', 'kkdhfakdasd', 'sdfm83kjasd', 'sdfkas83', 'gkdsi8y234', 'sf34asd21'
Source: in.exe.9.dr, AesGcm256.cs High entropy of concatenated method names: 'Decrypt', 'yFaLd9UfoLpPPR6N82Z', 'bhCFK0UNSl6DhLc6nQ8', 'omkA3TU8r8r1ZTprlmk', 'qXWZJIUUDMwW2JXjiAA', 'Yy8NnSUF2tmloe9ArN7', 'Bl5BmhUw0JvgY2OKFm2', 'gSC2qHUXj9etiIOBOOi', 'ginPl1Uy6tPU5lOsjfq', 'PHmyqfUqy86dCcYPhax'
Source: in.exe.9.dr, PartsSender.cs High entropy of concatenated method names: 'Invoker', 'sdf9j3nasd', 'Visible', 'LSIDsd2', 'asdkadu8', 'sdfo8n234', 'sdfi35sdf', 'asd44123', 'fdfg9i3jn4', 'sdf934asd'
Source: in.exe.9.dr, EnvironmentChecker.cs High entropy of concatenated method names: 'Check', 'FindLinksAndSetProxy', 'InstallCert', 'qPCgxiB2oUhfRZfgBu7', 'uFeXq0B9BPbYEuYtrmx', 'OcpwLUB6BEfIGmgpwWT', 'VKV512BjPGvJIIiHeQB', 'VaC24NBQVDwauM6G1kt', 'WxGJt1BZHadkXE9MPJl', 'o4rWnEBkrvG12vVZSGb'
Source: in.exe.9.dr, QueryProcessor.cs High entropy of concatenated method names: 'GatherValue', 'ReadMasterOfContext', 'ReadContextTable', 'GetOffset', 'ReadContextValue', 'ConvertToULong', 'Count', 'Gvl', 'Cvl', 'IsOdd'
Source: in.exe.9.dr, BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs High entropy of concatenated method names: 'Dispose', 'aIBB0j2e9yddmSm0Quc', 'HBZATj22hFg4nV4xYKR', 'AlZxPX29FvQv9ChqCMR', 'X6Xd0D261MKEwe6vB01', 'fQltEe2juNTAdAD4xTW', 'SE9LaP2Qb47E0O6PnG7', 'k6yH212CuSuxLQ4iVR3', 'fRePJP2BBhsfiGmdPjL', 'hsmXsS2Zk3guPmdXfFI'
Source: in.exe.9.dr, Json.cs High entropy of concatenated method names: 'FromJSON', 'ToJSON', 'GAIIkZCAprOdmZGt07D', 'H31rLiC5bq8mnqGTmeK', 'txrsWACtq970qQTbSwR', 'zWjqFpC48PU51FXZDgN', 'cLldBOCd371NPb4AE6Y', 'tZNFewCH7vkCZON022Y', 'jUxbJSCIR98D5xTT7g9'
Source: in.exe.9.dr, GcmBlockCipher.cs High entropy of concatenated method names: 'GetBlockSize', 'Init', 'GetMac', 'GetOutputSize', 'GetUpdateOutputSize', 'ProcessByte', 'ProcessBytes', 'Process', 'DoFinal', 'Reset'
Source: in.exe.9.dr, FileExt.cs High entropy of concatenated method names: 'ReadFile', 'ReadFileAsText', 'hhavFtCrI2Pj5dUY462', 'WRq9A7Clkmx1c6MBeya', 'aGxKgyCSjkZJT5vB6s4', 'R6PTv5CibwL0NFKTJ06', 'oP5xOKCLo7WviKOgwxr', 'Pmp9FOCGQsqAwF6tDQ5', 'RlptJ1ChFxAUh2tqXMx', 'OOQOSwCMY8cXaRgdwbu'
Source: in.exe.9.dr, SystemInfoHelper.cs High entropy of concatenated method names: 'CloseBrowser', 'GetProcessors', 'GetGraphicCards', 'GetBrowsers', 'GetSerialNumber', 'QueryProc', 'QueryAV', 'QueryProc', 'ListOfPrograms', 'AvailableLanguages'
Source: in.exe.9.dr, GcmUtilities.cs High entropy of concatenated method names: 'OneAsBytes', 'OneAsUints', 'AsUints', 'Multiply', 'MultiplyP', 'MultiplyP8', 'ShiftRight', 'ShiftRight', 'ShiftRightN', 'Xor'
Source: in.exe.9.dr, IPv4Helper.cs High entropy of concatenated method names: 'IsLocalIp', 'GetDefaultIPv4Address', 'Request', 'v4snoYBo1Zns3PeQv7Y', 'Y7fjQ0BJ2MomcSeHpJU', 'IMfaHOBPUT9Eb0QXioX', 'vmIEC5B31mQZ2eYCtT8', 'SGmC8oBmjCbSDwYpOlQ', 'ICfO3CBKGH2SrtUSSEn', 'EkLjq9BbSTEYEyuK15h'
Source: in.exe.9.dr, Entity19.cs High entropy of concatenated method names: 'Id1', 'Id2', 'Id3', 'e2NL75fVDe6gGM94P22', 'DsGiAhfCKPq6I24qD59', 'eFBqLGfB9QCLL11eCjg', 'YuAbj8fe7lDlGfAWnmF', 'eanD1af2Bw2RSuv6oOt', 'dRkZ6Bf93LwSBOvLJML', 'jwgNC6f6G4PQln9eQCi'
Source: in.exe.9.dr, QueryCmd.cs High entropy of concatenated method names: 'IsTrue', 'Query', 'nD7n6GV5839C33pU3PP', 'WLC1ycVdgU1xIjt2mfs', 'IKTkBeVHTBO909oOp4p', 'JZONa9VIjqZvm0TslPo', 'rrR9PoVWXeF8CZ9Rc54', 'xebPdDVJaPqCH2oYNSB', 'JMedFpVPgjdfy40mYhV', 'hkPoisVooEcf8FUJA26'
Source: in.exe.9.dr, Entity5.cs High entropy of concatenated method names: 'AoQNvT9gkGq49b9V3q4', 'O0Zde79RujDIPB821od', 'hEZ5mf91r2oc5ZAPeUE', 'ycyFo790aDKQM1Q6H8L', 'byTa009EcamPN9dodKZ', 'wWJkep9LRAHN4NSGkXH', 'N1pP8O9GAX2sX78iQwk'
Source: in.exe.9.dr, Arrays.cs High entropy of concatenated method names: 'AreEqual', 'AreEqual', 'AreEqual', 'AreSame', 'ConstantTimeAreEqual', 'AreEqual', 'HaveSameContents', 'HaveSameContents', 'HaveSameContents', 'HaveSameContents'
Source: in.exe.9.dr, GdiHelper.cs High entropy of concatenated method names: 'GetVirtualDisplaySize', 'GetImageBase', 'ConvertToBytes', 'wIOvq3BGfAQQqXTBbUp', 'vAjhnBBr7K8gLbrkZTp', 'xaZRw3BlngZ78y5EVoG', 'brAeWSBSQt8395R9VJB', 'eekfj3BEPUxlDVuXwUE', 'yVDpbnBL2o9JmKDuDcq', 'rARwxNBidHQ503XyZ1r'
Source: in.exe.9.dr, TaskResolver.cs High entropy of concatenated method names: 'ReleaseUpdates', 'UVhKQxCnahGmHFEdwSR', 'EeXrODCTEwU8wffCYkF', 'kbbBkcC1XCsIfxY1WXf', 'xXGYKBC0ik9csHuNywP', 'zSHENZCgU91hNlPsy3e', 'sqO3ISCYJuunvuBFDPO', 'wMLqroCOSDE4SVBomXK', 'BtMttxCRu5y2lLh97vF'
Source: in.exe.9.dr, DownloadAndExecuteUpdate.cs High entropy of concatenated method names: 'IsValidAction', 'Process', 'umfM6RVKeT7kfdHvKVi', 'WHHMcGVb2tr9voscSld', 'g773edVDjc8WIpasmI0', 'Hk0hycVck12w9OX8rYm', 'EJu6RNVx5KBqeDkItP4', 'P5L9wFVzXwc7OHHsHnu', 'IGYCydCyrDlddWN7ffA', 'O08YxgCqlMTGeagxuDL'
Source: in.exe.9.dr, DownloadUpdate.cs High entropy of concatenated method names: 'IsValidAction', 'Process', 'g6H26UCCDFQ8dT01dQC', 'CO6IF5CBLKRKhbTUdqC', 'eH7ceJCe1Z2cxhwQ8OP', 'VphRnrC2qEjlEKlVOxA', 'xRfE2lC9Zqm79ntGs29', 'Kk6vYTC6smQJrFbJiZi', 'xxobNBCjWdkP2Evhmi7', 'beg4lkCQ5A4WWFmqS3Z'
Source: in.exe.9.dr, FileCopier.cs High entropy of concatenated method names: 'FindPaths', 'ChromeGetName', 'ChromeGetRoamingName', 'ChromeGetLocalName', 'JobWWJ2uN6u0qlNjjAY', 'm32Vm92tMtw0nCjNGWS', 'W74sNV24UQHsyok8nK5', 'f9rjkQ2ANZL248wlZv0', 'CXg7Cg2M9qU3V31tlts', 'xUAZqd2sndRjWeElwGt'
Source: in.exe.9.dr, KeyParameter.cs High entropy of concatenated method names: 'GetKey', 'kOZ46GN0jUNnFfTh97t', 'aVWlp7Ng8QM78XbP6f0', 'K0RcSENRv6a6GMc35qj', 'iM4vhiNT75nlO0EVyWB', 'A0j8obN1doEP5wLIxuJ', 'eMfa4cNEgiw2QFgL1LV', 'xgJSStNL7HaoFfuVCoG'
Source: in.exe.9.dr, Entity18.cs High entropy of concatenated method names: 'Id1', 'TreeObject8', 'Id2', 'Id3', 'Id4', 'Id5', 'Id6', 'Id7', 'Id8', 'PPyBCqqM0kO7aQsRVjP'
Source: in.exe.9.dr, MemoryCollect.cs High entropy of concatenated method names: 'Id1', 'Id2', 'Id3', 'Id4', 'nV2LcJfEddUnAMLVNta', 'G31G90fL6OVspraOVbA', 'KX6mmPfG6hBL4iT0kvG', 'HxuVaNfgwE1bfkxEb7b', 'PgYyqdfR87EwPfhrknm', 'm5jJHsfrMUOZsVlPauh'
Source: in.exe.9.dr, RosComNadzor.cs High entropy of concatenated method names: 'Id2', 'Id3', 'UV579RXO7Rdpqrnjo7V', 'xS2AdMXnxGaD3Cd4d39', 'bR4dRnXTMj0Mvby8HLX', 'YpEhrqX1vlHYiFl1wgB', 'kxTkuNX0FrXxUEjal8v', 'SlhQaAXgPnRs0QicSHS', 'lyUwHXXRmbuV39PT4pW', 'ynpXu3XEiebanftlxyu'
Source: in.exe.9.dr, Resource1.cs High entropy of concatenated method names: 'mBXCbR6CtT8O15SKDK4', 'D1HjCE6B6v5piSi1vZs', 'bcVFVY6XVxuUhatpUMY', 'zJEsc76VSXEpnbncllS', 'J8XWx96eRBwAehudMTw', 'rg0BEn62HnQc6IW5ywY', 'dgUetJ698K1bERHwLPr', 'UH7NDx66UJQdB0i37TS', 'SyK7yL6jDXQyvr9C2jY', 'ofyTi86QXKv9GQHFvQi'
Source: in.exe.9.dr, OpenVPN.cs High entropy of concatenated method names: 'Id2', 'Id3', 'QZngY2XIjDyrAvn3vvp', 'ldVD9YXWquL1nOByJlV', 'uMBgbsXJp8CFTcPBQr4', 'U58PiMXPetLusgWu6WI', 'aGhmxYXodRLKfJxQ0UA'
Source: in.exe.9.dr, ConnectionProvider.cs High entropy of concatenated method names: 'Id1', 'RequestConnection', 'Id3', 'Id4', 'Id5', 'Id6', 'Id7', 'Id8', 'Id9', 'Id10'
Source: in.exe.9.dr, CryptoHelper.cs High entropy of concatenated method names: 'Read', 'DecryptBlob', 'CalcM5', 'GetHexString', 'zf6Vbhf56kCPrCaBGKV', 'BJctOCfdeOnyZUwTZUw', 'Qe6nk7fHL6bQuF67F9w', 'pDMsv1fIAeI5LgLP0I9', 'E0K8q9fWb3OTl8MsZGt', 'BRJvoHfJiWoAdYBkeQu'
Source: in.exe.9.dr, Program2.cs High entropy of concatenated method names: 'WriteLine', 'tfOeKgFUphRMPGbYVHR', 'M1rNf1FFpdLNxRsvQxF', 'y2IdidFwk6mb0jl0b2E', 'h3XwAPFXIdwW0qOntkd', 'b6vRgAFVf7GvcfappQ8', 'ycf65jFCH6NMOeoMGYX', 'Vi8cD7FBw3kbJcwfhUt', 'ttg3ruFe8Q0EbCp8F4F', 'xHSwHLF2c3D0Kr9uW9X'
Source: in.exe.9.dr, StringExt.cs High entropy of concatenated method names: 'ChangeType', 'StripQuotes', 'Run', 'CiRs0DCoeWMo2gJpGMf', 'DIbiGtC35NrGHaATcLg', 'pGhGy3CJwDhY2SNTjsI', 'HfJJbuCPbUAr571xA3P', 'SgfwSDCm0TpN5D0bolZ', 'VyaYQiCKvvQkJOjvVbX', 'TZ9sIlCbhPBeKD0VLlH'
Source: in.exe.9.dr, AllWallets.cs High entropy of concatenated method names: 'Id2', 'Id3', 'zdnfMEXweiDdHO1jqrM', 'E3EDfdXXoD8Tw9Ob6iR', 'iBqgSgXVwghODKoX9MG', 'zrb0ZsXCCMy9sBqTu16', 'PPE6uUXBvBqA4fUtRCN', 'bJb3sXXUHBasLi5mcrU', 'GBJrXwXF01r2V8DRSKt', 'c1GgwjXe4IEdJvwI1mP'
Source: in.exe.9.dr, EwV3ECxYhIse1SOarW.cs High entropy of concatenated method names: 'MBXvWU1F3hP6XNq0rkA', 'NW9UUy1wd9TCaRccFBw', 'BPTavEfPI8', 'au0CYU1BGY2DPwLwkDH', 'mM5ihe1eBIaSZ8auFPB', 'pRLGxD12Bx6xx8PmEto', 'RxYbT319N52nKWN9dJP', 'OPRxDU163sBLCmxKepd', 'IqlOou1jsgumLF329fw', 'PJvuON1Q9rDebIpFDcZ'
Source: in.exe.9.dr, Kp3eZNOyNqfl614RmD.cs High entropy of concatenated method names: 'l5dizeUqZ0', 'ev6hyTNPTs', 'NY5wFA1M9ZEj0REWEBE', 'lUCGvK1s54bO38F8Gr8', 'UWF1Ri1ufgMUXTIaClZ', 'vIpqsD1tI7puyFNB2dQ', 'mbU9PU148JR0clJnJor'
Source: in.exe.9.dr, geUwbRLwd0WNm7K3QP.cs High entropy of concatenated method names: 'N8ciDNtrkD', 'UJfDNHTmFZ2YPk9V7WW', 'jkvbVDTK9miyxW3WC50', 'cm1hhqTbL5xHO8T9Zj5', 'xZeWmSTDOMaifpNRdd6', 'Y4qOZFTcAJmrLPHA1le', 'kZc5OUToldwtdWWbhxH', 'tJFaqBT3JJJvKFahByx', 'epnHXdTxnLhwwsgC8yl', 'LDIKtBTzOINIe5yoVBC'
Source: in.exe.9.dr, OBqe2IUAeSpOmlOQ4O.cs High entropy of concatenated method names: 'nOQdl4ODOg', 'tY3dXGtH5f', 'q9qdvQao7g', 'DpYddoq5nS', 'vUcduRRnlL', 'sqedUSL72O', 'MNddRugcTR', 'd6IBJRRp2Z', 'c8idQhNv3S', 'V1kdEyl02V'
Source: in.exe.9.dr, itVrv600AOcMBhsiIT.cs High entropy of concatenated method names: 'xdJaHaLaiy', 'V2DaSkpaDo', 'ojWablkBNc', 'DyHamcAFke', 'ArCa6Di0WB', 'EJyataZqWW', 'T7haJgpFAl', 'kNGa25aRtf', 'lj7acrWjTB', 'PYIahvCHho'
Source: in.exe.9.dr, DefaultConstants.cs High entropy of concatenated method names: 'C1MC12QztsQ32HPQOnL', 'lvBXuwZyrEsMLi75owM', 'q6I9q0ZqCGeKWIvUC0X', 'U0oRTyZfwgUSKj3CjDm', 'N5VjrGZNmoi2kDhW361', 'vqxLroZ8vhtNtCTl798', 'hJVDxOQcsITxFU03w4B', 'avbJw9QxjlVaGc51U4i'
Source: in.exe.9.dr, RECT.cs High entropy of concatenated method names: 'Ceiling', 'FromLTRB', 'GetNumericListSeparator', 'Inflate', 'Inflate', 'Intersect', 'Offset', 'Parse', 'Round', 'Truncate'
Source: in.exe.9.dr, XRails_Container.cs High entropy of concatenated method names: 'IsOverTitleBarIcon', 'OnSizeChanged', 'OnTextChanged', 'OnMouseDown', 'OnMouseDoubleClick', 'OnMouseMove', 'OnMouseUp', 'CreateHandle', 'OnPaint', 'jyQqJmZzTIoraKmhKB6'
Source: in.exe.9.dr, XRails_TextBox.cs High entropy of concatenated method names: '_Click', '_Enter', '_Leave', '_KeyDown', '_KeyUp', '_KeyPress', 'WatermarkContainer_Click', 'WatermarkContainer_Paint', 'OnFontChanged', 'OnForeColorChanged'
Source: in.exe.9.dr, XRails_LinkLabel.cs High entropy of concatenated method names: 'OnMouseDown', 'OnMouseMove', 'OnMouseLeave', 'OnInvalidated', 'cQV4Jq7meYAHaBMf9Ry', 'FI7OFd7K2L3yig8Nyfm', 'V0j8Jw7bZmYHXL5aKwP', 'qp6U287DtnN8ZpoMZla', 'YKP8QC7cMvJTVVGuWa8', 'zW4lAP7xEI32PXx0WSW'
Source: in.exe.9.dr, XRails_LogoBox.cs High entropy of concatenated method names: 'OnPaint', 'EMvD9pp6NJZbCDTmUUO', 'USG90ypjxSS504sXcpn', 'Jq4sn1pQfYt12mXxtPd', 'IOlABhpZb3ZVR4ivZNc', 'Jx2PPFpkSKTkYvWvIrx', 'oo3Yt2p7R0sa4KNpkUe', 'bFilkNpp49BM8VIRyyW', 'ig6p1Tp2ueuk1TkS3MY', 'JdBU45p9tpl47k4Idxy'
Source: in.exe.9.dr, XRails_Label.cs High entropy of concatenated method names: 'OnMouseDown', 'jgaB2R7goqSEAC8wkVZ', 'Q1749q7R3UxBYOrD2Km', 'efTsff7ENTFRKQbK1BH', 't3A7V57LFxooyRlCPr0', 'bXaMXh7G3rglNOagkNl', 'bcEGSt7r1k9GJfKEB3I', 'ODTRGQ716w3nvJ70jSW', 'nyXiYM700hAHi3N7v88', 'dZG8QR7lhMrV7hyT6cU'
Source: in.exe.9.dr, XRails_LeftPanel.cs High entropy of concatenated method names: 'OnMouseDown', 'RUIJSV7MKDcYOndtn0B', 'u141kV7s6G77pyncm4N', 'qbGdKZ7u6E4Z7HlsRqY', 'dluxQU7tcNKSCRhSWLl', 'cIjoLB7485quTjRCcHP', 'NKmF7a7AE8Q8wmEiDPo', 'ILUeMZ75VvZ9P9RbkxF', 'mvXkU27deWa8gZqYcp6', 'rVPSib7HlqCJapUD1lC'
Source: in.exe.9.dr, XRails_RightPanel.cs High entropy of concatenated method names: 'OnMouseDown', 'eowk7oprbN3raUvnQny', 'OEWUUOplocU7AfwedHw', 'EZBpSPpS9VGRxAmqND5', 'YFK10bpiShbk41h6wV4', 'kRC53NphFWBunYimtPB', 'pNaoqUpMkfqWviI0PJp', 'vwPy5lpLWlWd4cOQ9dD', 'mMt9itpGS1214lwx9sh', 'dDo9iHpsvgliF4D5UT8'
Source: in.exe.9.dr, XRails_ControlBox.cs High entropy of concatenated method names: 'OnResize', 'OnMouseMove', 'OnMouseLeave', 'OnMouseDown', 'OnMouseUp', 'OnCreateControl', 'OnPaint', 'nMlvT2kP1J3fN94PV15', 'CdO9TCkoZrhHfXSfYtK', 'TwXXhQk3oODLYsQeuTX'
Source: in.exe.9.dr, XRails_TitleLabel.cs High entropy of concatenated method names: 'OnMouseDown', 'OnPaint', 'U3ElydvH5FnBj9chqrn', 'QlaiGxvIysaV3VOXHgS', 'SrIMfcvWptHatp6m2s8', 'iXATwxvJjE8L9m6TY9C', 'XwVEFhvPVNlkSkvQTo6', 'YM7wB4volJ0XHDYdQ9J', 'IGadDMv3KExhDRwQDdC', 'RB5mptvmX4ZtU00DFO1'
Source: in.exe.9.dr, XRails_Button.cs High entropy of concatenated method names: 'NotifyDefault', 'PerformClick', 'RoundedRect', 'OnMouseUp', 'OnMouseDown', 'OnMouseMove', 'OnMouseLeave', 'OnTextChanged', 'OnHandleCreated', 'OnResize'

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe File created: C:\Users\user\AppData\Local\Temp\main\7z.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe File created: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe Jump to dropped file
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe File created: C:\Users\user\AppData\Local\Temp\main\7z.exe Jump to dropped file
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\main\in.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\main\in.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Memory allocated: E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Memory allocated: 28C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Memory allocated: 2650000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Window / User API: threadDelayed 1232 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Window / User API: threadDelayed 797 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\main\7z.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe API coverage: 5.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\main\in.exe TID: 5764 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe TID: 1020 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\main\in.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_0040367D GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 0_2_0040367D
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_004031DC FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 0_2_004031DC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00457978 FindFirstFileW,FindFirstFileW,free, 5_2_00457978
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0045881C free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free, 5_2_0045881C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0045B5E0 GetSystemInfo, 5_2_0045B5E0
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\main\extracted Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\main\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: in.exe, 0000000B.00000002.2155247423.00000000052B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Code function: 11_2_00BFD07C LdrInitializeThunk, 11_2_00BFD07C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_00402665 LoadLibraryA,GetProcAddress,GetNativeSystemInfo, 0_2_00402665
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p324051139125346723019431074 -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe" Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_00402744 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00402744
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0049D670 cpuid 5_2_0049D670
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,??_U@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar, 0_2_0040247D
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Queries volume information: C:\Users\user\AppData\Local\Temp\main\in.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_004039E7 lstrlenW,GetSystemTimeAsFileTime,GetFileAttributesW,memcpy,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z, 0_2_004039E7
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe Code function: 0_2_00405BFC ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,lstrlenW,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,lstrlenW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA, 0_2_00405BFC
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\main\in.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\main\in.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\main\in.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\main\in.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\main\in.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\main\in.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 11.0.in.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.2022612006.0000000000422000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe, type: DROPPED
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 11.0.in.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.2022612006.0000000000422000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: in.exe PID: 5036, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectrumE#
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: JaxxE#
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ExodusE#
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: EthereumE#
Source: in.exe, 0000000B.00000000.2022612006.0000000000422000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: set_UseMachineKeyStore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: in.exe PID: 5036, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 11.0.in.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.2022612006.0000000000422000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe, type: DROPPED
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 11.0.in.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.2022612006.0000000000422000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: in.exe PID: 5036, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1483181 Sample: jjjUC5ggb2nQMb1B6SvBkwmT.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Yara detected PureLog Stealer 2->34 36 Yara detected RedLine Stealer 2->36 38 5 other signatures 2->38 7 jjjUC5ggb2nQMb1B6SvBkwmT.exe 8 2->7         started        process3 file4 26 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 7->26 dropped 28 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 7->28 dropped 40 Contains functionality to register a low level keyboard hook 7->40 11 cmd.exe 2 7->11         started        signatures5 process6 process7 13 in.exe 6 24 11->13         started        17 7z.exe 2 11->17         started        20 7z.exe 3 11->20         started        22 6 other processes 11->22 dnsIp8 30 23.94.183.150, 49706, 5058 AS-COLOCROSSINGUS United States 13->30 42 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->42 44 Installs new ROOT certificates 13->44 46 Found many strings related to Crypto-Wallets (likely being stolen) 13->46 48 3 other signatures 13->48 24 C:\Users\user\AppData\Local\Temp\...\in.exe, PE32 17->24 dropped file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.94.183.150
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
23.94.183.150:5058 true
  • Avira URL Cloud: safe
 unknown