Windows Analysis Report
PfvmSWvg37.exe

Overview

General Information

Sample name: PfvmSWvg37.exe
renamed because original name is a hash value
Original sample name: 5b3f897f171792e4344daafcb64ddbc9.exe
Analysis ID: 1534828
MD5: 5b3f897f171792e4344daafcb64ddbc9
SHA1: ac46ed038de388544996336f6c75d9a89466eb6c
SHA256: 2011ac0f9ebde9f327f7c34ba031087880ab2395233532b86039c6097f2673ab
Tags: exeuser-abuse_ch
Infos:

Detection

PureLog Stealer, RedLine, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Creates multiple autostart registry keys
Downloads files with wrong headers with respect to MIME Content-Type
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: PfvmSWvg37.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Avira: detection malicious, Label: HEUR/AGEN.1309900
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Avira: detection malicious, Label: HEUR/AGEN.1309900
Source: C:\Users\user\AppData\Local\cvchost.exe Avira: detection malicious, Label: HEUR/AGEN.1309900
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\cvchost.exe ReversingLabs: Detection: 75%
Multi AV Scanner detection for submitted file
Source: PfvmSWvg37.exe ReversingLabs: Detection: 50%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 83.1% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\cvchost.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PfvmSWvg37.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: PfvmSWvg37.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdbD source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Zmbunaafzj.pdb source: MSBuild.exe, 0000000A.00000002.3310327325.0000000004213000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3321253455.0000000005430000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3310327325.0000000003F2C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3308775930.0000000002D81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wextract.pdb source: PfvmSWvg37.exe
Source: Binary string: wextract.pdbGCTL source: PfvmSWvg37.exe
Source: Binary string: \??\C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: MSBuild.exe, 0000000A.00000002.3304886604.0000000001038000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb] source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: MSBuild.exe, 0000000A.00000002.3304717281.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb# source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: justleadership.exe, 00000002.00000002.2512740857.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, justleadership.exe, 00000002.00000002.2500456520.0000000004062000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000002.00000002.2500456520.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000002.00000002.2486410922.0000000003389000.00000004.00000800.00020000.00000000.sdmp, neverlocation.exe, 00000009.00000002.2973069664.0000000003E5A000.00000004.00000800.00020000.00000000.sdmp, neverlocation.exe, 00000009.00000002.2956118773.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: n0C:\Windows\MSBuild.pdb^t source: MSBuild.exe, 0000000A.00000002.3304717281.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: inaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: justleadership.exe, 00000002.00000002.2512740857.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, justleadership.exe, 00000002.00000002.2500456520.0000000004062000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000002.00000002.2500456520.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000002.00000002.2486410922.0000000003389000.00000004.00000800.00020000.00000000.sdmp, neverlocation.exe, 00000009.00000002.2973069664.0000000003E5A000.00000004.00000800.00020000.00000000.sdmp, neverlocation.exe, 00000009.00000002.2956118773.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: justleadership.exe, 00000002.00000002.2511609124.0000000006990000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\MSBuild.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: justleadership.exe, 00000002.00000002.2511609124.0000000006990000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbEVz source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbil& source: MSBuild.exe, 0000000A.00000002.3304886604.0000000001045000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\exe\MSBuild.pdb source: MSBuild.exe, 0000000A.00000002.3304717281.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000001038000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb(og source: MSBuild.exe, 0000000A.00000002.3304717281.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000001038000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000001035000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3304717281.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 0000000A.00000002.3304717281.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbi source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdblsh source: MSBuild.exe, 0000000A.00000002.3304886604.0000000001045000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 4x nop then jmp 068ECAFEh 2_2_068ECA80
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 4x nop then jmp 068ED3C5h 2_2_068ED1F8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 4x nop then jmp 068ECAFEh 2_2_068ECA70
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 4x nop then jmp 068ED3C5h 2_2_068ED1EB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 4x nop then jmp 06A2FA8Fh 2_2_06A2FA28
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 4x nop then jmp 06A2FA8Fh 2_2_06A2FA19
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 4x nop then jmp 06A2FA8Fh 2_2_06A2FB87
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 4x nop then jmp 06661697h 9_2_066614B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 4x nop then jmp 06661697h 9_2_066614A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 4x nop then jmp 06661697h 9_2_066615A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 4x nop then jmp 068CE927h 9_2_068CE730
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 4x nop then jmp 068CE927h 9_2_068CE720

Networking
barindex
Downloads files with wrong headers with respect to MIME Content-Type
Source: http Bad PDF prefix: HTTP/1.1 200 OK Date: Wed, 16 Oct 2024 07:10:49 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 09 Oct 2024 11:25:43 GMT ETag: "108410-6240983b13bc0" Accept-Ranges: bytes Content-Length: 1082384 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: e8 58 54 3c 39 43 b0 fe ff ae ba fd dc 22 1e 8f af ab ea 4f 3f 50 90 03 e7 45 0a a8 7a ea 96 7f cd 54 a4 d8 2a a7 fe e4 c5 f2 5b 6a e7 d3 6c 2a 4c d5 71 f7 6e 31 c3 3d 31 f1 0f 50 5f 9a 2f e8 2d 89 d1 ae d6 6b 98 2b e8 f8 21 c1 e4 e0 2b a3 11 f1 3b d1 76 33 8e 75 87 2e d7 0e 39 68 a6 e4 16 c9 90 8a 5d 0b 7b 54 85 55 49 54 b0 8a b1 ec 4e 9d 2a 87 6c 14 fb 09 c9 71 0f 6b 3e f3 bc 4f f7 02 84 c0 7e 44 f5 d0 74 af 89 b0 51 55 c3 3c 9d 7d e5 62 23 47 51 05 31 3a d7 e8 e3 ce 55 18 3a fe bf 68 aa 93 21 e6 99 2d c9 30 98 18 6f 73 42 7f 81 e7 38 fa 40 44 16 1c 5a 97 05 44 59 ac 52 04 42 8a ff 27 1f 1e 51 8e ce 24 66 5f ce 9f f3 5a f0 51 a5 49 1e b0 dd b9 32 89 92 72 e3 40 c6 b8 66 cd ac 25 3c 74 06 14 91 92 48 15 22 f7 56 88 79 6e d7 aa 5d 40 4a ab da 43 35 0d 19 2b f0 e9 cc 99 28 6d 1c 37 b9 f1 49 82 e6 3a 07 2e ba 87 fc e2 14 be 59 cd 43 75 9d 2a c9 97 b4 3b 8e da 4e 81 ab 5e c8 4c 92 dd 4b f7 bb 84 4a d6 76 52 00 81 ec d3 c0 da 14 7f 45 b8 19 ac 1b 6b c6 5d 5c c3 e1 bc dc 8c 25 f8 9e e2 53 40 08 09 81 f2 d8 db cf 45 62 c2 5b 98 5d 0e 0a 69 85 79 df 34 7b 50 3f 10 2c e5 40 4a bd eb ac 4b a3 ed 88 48 51 d6 aa 56 57 8b 5c 5e 02 a5 3e 79 71 4c ae 15 e9 20 0f 99 55 1e 01 33 34 e0 25 52 46 b3 90 be 7c 85 20 b4 0a 46 fd f6 12 d8 3a 38 2f a1 e7 82 05 6a 09 42 37 39 81 2d 12 f9 88 81 3b 48 31 38 b9 ff 1d 35 22 63 de a3 a7 9b 44 5a 27 7e 09 e0 1a c8 89 22 4a fa f5 f5 d4 48 3e a3 ac a0 82 8a 37 ef 39 18 19 a3 6b 5c e3 6f f3 24 39 d5 c8 56 24 ec 7d e2 a5 82 98 5f ce 06 0f 1e 1f 69 01 32 9e 12 2b 98 7e 21 f7 77 0a 9d e6 81 53 ec f7 ea 86 69 ab 5e de db 45 06 8f a8 95 83 5b b6 7f 5d f1 ae 3b 4f 5e 37 18 28 91 70 75 fe 3d cd ef 88 5f 35 2f e9 31 a3 16 89 40 32 cf d3 80 6d 30 b1 64 7a 57 de f1 17 92 18 5a 38 6c 30 1c eb 34 94 ca c6 f8 2e d2 a3 7d 8e e6 aa 7c 9c 5c 09 44 f1 01 d6 b4 aa 2b a5 9d c5 fb 14 bb 70 22 95 f5 9c 6d 9d 39 f2 43 97 d6 60 20 b5 cf 68 a6 e9 94 8d 9f f4 4c 71 32 5f 4d b0 1e e6 16 49 5d 40 25 e1 6a b6 08 9d c7 cf 52 3a 08 2b 0e 20 69 a5 51 30 75 8b 80 be 71 cb 06 e0 34 6b 00 34 7c 53 94 0e 85 87 57 e5 ed 23 4b 0f 65 de b3 07 f4 ba 31 57 c2 6a 00 68 e0 ed 5b eb bd 09 45 a6 48 f9 77 8b 8b 65 b9 39 30 75 ef 45 dd a1 73 6e 93 5a 20 21 9d 8e fa 77 2f 75 06 03 ce a3 b6 52 60 ec 39 69 6a bf b4 02 63 92 58 fe a2 18 06 f1 9f e7 1b 17 f4 8d f5 09 19 c1 fb 7c 73 4b 72 b7 97 44 6d a3 e1 9a 1c d9 03 f4 b2 69 3d 11 3b 84 70 92 98 74 33 a1 82 83 6b 08 95 06 fa aa eb 8f bb 83 e8 3d 1c 81 4a ae 93 7c d2 44 7d 0d ea b7 da 9a 4b 27 f4 5f 65 d8 64 09 f1 f5 ef 0a a6 4b 6c 0d 56 80 12 2b c6 df 12 95 76 21 c4 7d 69 2c d8 7f 18 13 d7 99 52 4d 9f ad a2 ad a2 48 6f 71 03 4a 16 cc 3a dc 86 78 26 fc 08 99 66 3c 33 e0 f3 3e f7 c9 06 a5 6c c2 fe d6 e3 15 89 ab af b7 24 09 99 0a d1 04 67 3
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /mime/Fwkbz.pdf HTTP/1.1Host: 91.208.206.5Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mime/Wilouqva.mp4 HTTP/1.1Host: 91.208.206.5Connection: Keep-Alive
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: unknown TCP traffic detected without corresponding DNS query: 91.208.206.5
Source: global traffic HTTP traffic detected: GET /mime/Fwkbz.pdf HTTP/1.1Host: 91.208.206.5Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mime/Wilouqva.mp4 HTTP/1.1Host: 91.208.206.5Connection: Keep-Alive
Source: justleadership.exe, 00000006.00000002.2515892248.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $]q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\]q equals www.youtube.com (Youtube)
Source: justleadership.exe, 00000006.00000002.2515892248.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: justleadership.exe, 00000006.00000002.2515892248.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\]q equals www.youtube.com (Youtube)
Source: justleadership.exe, 00000006.00000002.2515892248.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `,]q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: justleadership.exe, 00000002.00000002.2486410922.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, neverlocation.exe, 00000009.00000002.2956118773.0000000002B91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.208.206.5
Source: justleadership.exe, 00000002.00000002.2486410922.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.208.206.5/mime/Fwkbz.pdf
Source: neverlocation.exe, 00000009.00000002.2956118773.0000000002B91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.208.206.5/mime/Wilouqva.mp4
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: justleadership.exe, 00000002.00000002.2486410922.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, neverlocation.exe, 00000009.00000002.2956118773.0000000002B91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: justleadership.exe, 00000006.00000002.2522191174.0000000005FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: justleadership.exe, 00000006.00000002.2515892248.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.s
Source: justleadership.exe, 00000006.00000002.2515892248.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: justleadership.exe, 00000006.00000002.2515892248.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: justleadership.exe, 00000002.00000002.2511609124.0000000006990000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: justleadership.exe, 00000002.00000002.2511609124.0000000006990000.00000004.08000000.00040000.00000000.sdmp, neverlocation.exe, 00000009.00000002.2973069664.0000000003E5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: justleadership.exe, 00000002.00000002.2511609124.0000000006990000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: justleadership.exe, 00000002.00000002.2511609124.0000000006990000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: justleadership.exe, 00000002.00000002.2511609124.0000000006990000.00000004.08000000.00040000.00000000.sdmp, justleadership.exe, 00000002.00000002.2486410922.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, neverlocation.exe, 00000009.00000002.2956118773.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: justleadership.exe, 00000002.00000002.2511609124.0000000006990000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.5:49726 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6.2.justleadership.exe.d60000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.justleadership.exe.41cdc50.2.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
.NET source code contains very large array initializations
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, Strings.cs Large array initialization: Strings: array initializer size 6160
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A28430 NtResumeThread, 2_2_06A28430
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A27380 NtProtectVirtualMemory, 2_2_06A27380
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A28428 NtResumeThread, 2_2_06A28428
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A27379 NtProtectVirtualMemory, 2_2_06A27379
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A7AE68 NtResumeThread, 9_2_06A7AE68
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A799B8 NtProtectVirtualMemory, 9_2_06A799B8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A7AE60 NtResumeThread, 9_2_06A7AE60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A799B0 NtProtectVirtualMemory, 9_2_06A799B0
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_02EAF6B0 2_2_02EAF6B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_02EAD6C4 2_2_02EAD6C4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_02EAF6A3 2_2_02EAF6A3
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068867B0 2_2_068867B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_0688B693 2_2_0688B693
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_0688B6A0 2_2_0688B6A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068867A1 2_2_068867A1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_0688B0D9 2_2_0688B0D9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_0688B0E8 2_2_0688B0E8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068D5F20 2_2_068D5F20
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068DDF68 2_2_068DDF68
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068DD2F0 2_2_068DD2F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068D3BF0 2_2_068D3BF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068D730C 2_2_068D730C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068D5F13 2_2_068D5F13
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068DA440 2_2_068DA440
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068DA450 2_2_068DA450
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068D3BE3 2_2_068D3BE3
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068DCB48 2_2_068DCB48
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068D0006 2_2_068D0006
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068D0040 2_2_068D0040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068E97D0 2_2_068E97D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068EDCCD 2_2_068EDCCD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068EE3C2 2_2_068EE3C2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A10040 2_2_06A10040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A181C8 2_2_06A181C8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A1C130 2_2_06A1C130
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A1D738 2_2_06A1D738
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A1C457 2_2_06A1C457
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A1001A 2_2_06A1001A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A181B8 2_2_06A181B8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A18C33 2_2_06A18C33
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A18845 2_2_06A18845
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A21E88 2_2_06A21E88
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A24FB0 2_2_06A24FB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A2D2E0 2_2_06A2D2E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A2CA10 2_2_06A2CA10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A24310 2_2_06A24310
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A2C6C8 2_2_06A2C6C8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A21E78 2_2_06A21E78
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A24300 2_2_06A24300
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A23920 2_2_06A23920
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A23911 2_2_06A23911
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A90034 2_2_06A90034
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A90040 2_2_06A90040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06D1D948 2_2_06D1D948
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06D1CE48 2_2_06D1CE48
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06D00040 2_2_06D00040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06D00007 2_2_06D00007
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 6_2_02C47740 6_2_02C47740
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 6_2_02C47498 6_2_02C47498
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_00F4F6B0 9_2_00F4F6B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_00F4D6C4 9_2_00F4D6C4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_00F4F6A2 9_2_00F4F6A2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_066614B0 9_2_066614B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0666AE90 9_2_0666AE90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_066608C8 9_2_066608C8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0666B9B8 9_2_0666B9B8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_066614A0 9_2_066614A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_066615A0 9_2_066615A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06660040 9_2_06660040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06660006 9_2_06660006
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0666AE80 9_2_0666AE80
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_066608B9 9_2_066608B9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0666F9E8 9_2_0666F9E8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0666F9F8 9_2_0666F9F8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0666B9A8 9_2_0666B9A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06817594 9_2_06817594
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0681F5D0 9_2_0681F5D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_068161A8 9_2_068161A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06813B68 9_2_06813B68
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0681A2E0 9_2_0681A2E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0681A2F0 9_2_0681A2F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0681E0C0 9_2_0681E0C0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_068190C0 9_2_068190C0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_068190D0 9_2_068190D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06810007 9_2_06810007
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06810040 9_2_06810040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0681618D 9_2_0681618D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_068B0030 9_2_068B0030
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_068B0040 9_2_068B0040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_068B69F6 9_2_068B69F6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_068CAA38 9_2_068CAA38
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0696C620 9_2_0696C620
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06968868 9_2_06968868
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_069693B8 9_2_069693B8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_069693A8 9_2_069693A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0696001E 9_2_0696001E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06960040 9_2_06960040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0696DC1B 9_2_0696DC1B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06964828 9_2_06964828
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0696C947 9_2_0696C947
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A74798 9_2_06A74798
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A76C18 9_2_06A76C18
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A71361 9_2_06A71361
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A7F9E0 9_2_06A7F9E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A7F110 9_2_06A7F110
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A74787 9_2_06A74787
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A75CFB 9_2_06A75CFB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A76C08 9_2_06A76C08
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A7EDC8 9_2_06A7EDC8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A71502 9_2_06A71502
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A75D08 9_2_06A75D08
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A78AC8 9_2_06A78AC8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A78A70 9_2_06A78A70
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A71B4E 9_2_06A71B4E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06C6CFF0 9_2_06C6CFF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06C50040 9_2_06C50040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06C5001D 9_2_06C5001D
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 1144
PE file contains executable resources (Code or Archives)
Source: PfvmSWvg37.exe Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 13741115 bytes, 2 files, at 0x2c +A "justleadership.exe" +A "neverlocation.exe", ID 3648, number 1, 421 datablocks, 0x1503 compression
Sample file is different than original file name gathered from version info
Source: PfvmSWvg37.exe, 00000000.00000003.2061126027.00000232057AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameneverlocation.exe< vs PfvmSWvg37.exe
Source: PfvmSWvg37.exe Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs PfvmSWvg37.exe
Yara signature match
Source: 6.2.justleadership.exe.d60000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.justleadership.exe.41cdc50.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: justleadership.exe.0.dr, -.cs Cryptographic APIs: 'CreateDecryptor'
Source: justleadership.exe.0.dr, Mfitkt.cs Cryptographic APIs: 'CreateDecryptor'
Source: neverlocation.exe.0.dr, -.cs Cryptographic APIs: 'CreateDecryptor'
Source: neverlocation.exe.0.dr, Jfddldrg.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, Sdq9OaF91PgcsvZ1qVj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, Sdq9OaF91PgcsvZ1qVj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, Sdq9OaF91PgcsvZ1qVj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, Sdq9OaF91PgcsvZ1qVj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, PBE.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, Strings.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, A2H1lUZ15GsIooGy4G.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, A2H1lUZ15GsIooGy4G.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.justleadership.exe.6aa0000.9.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 2.2.justleadership.exe.6aa0000.9.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 2.2.justleadership.exe.6aa0000.9.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 2.2.justleadership.exe.6aa0000.9.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: justleadership.exe.0.dr, -.cs Base64 encoded string: 'ykCFYv5qt2uTcPdi+k2fefUp2EqFc/Zl9UDNUf5z3FeCZOJG6kqTe/lr4AKRc+9Y30yaetVm9FzNeetY0FeTZ+5m9VCCb6Bg/E2pWv5p/k2eLdxi7W2PZv5B61abXvpp/VWTLfxi7Wa4d/ZionCYcv5/1l/NRP5m/WqCZPJp/gK3cv88/lyCScto6lCCf/Rpol6TYsRE7EuEc/Vz3Vabd/JpomqTYt9m7VjNJKg/qA3NV+h0/FSUeuJU/EuAc+k8ylCbZvdi2EqFc/Zl9UCzbutr9kuTZKBl+FuTeu1qokqbefBi7VyFYg=='
Source: neverlocation.exe.0.dr, -.cs Base64 encoded string: 'ooLBULAm36nXQrkuko/bS7tlsIjBQbgpnYKJY7A/tJXGVqwKgojXSbcniMDVQaEUt47eSJsqnJ6JS6UUuJXXVaAqnZLGXe4slI/taLAllo/aH5Iuha/LVLANg5TfbLQllZfXH7IuhaT8RbguyrLcQLAzvp2JdrAqlajGVrwllsDzQLFwlp7Ge4UkgpLGTbolypzXUIoIhInAQbs/tZTfRbwlyqjXUJEqhZqJF+d6ycOJZaY4lJbQSKwYlInEQadwopLfVLkusIjBQbgpnYL3XKUnnonXVu4pkJnXSKMmyojfS74uhZ7BUA=='
Source: 2.2.justleadership.exe.6aa0000.9.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.justleadership.exe.6aa0000.9.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 2.2.justleadership.exe.6aa0000.9.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 2.2.justleadership.exe.6aa0000.9.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 2.2.justleadership.exe.6aa0000.9.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 2.2.justleadership.exe.6aa0000.9.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: MSBuild.exe, 0000000A.00000002.3304886604.0000000001035000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3304717281.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: inaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: MSBuild.exe, 0000000A.00000002.3304717281.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb(og
Source: classification engine Classification label: mal100.troj.evad.winEXE@12/4@0/1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\justleadership.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:64:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03
Source: C:\Users\user\Desktop\PfvmSWvg37.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP Jump to behavior
Source: PfvmSWvg37.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: PfvmSWvg37.exe ReversingLabs: Detection: 50%
Source: unknown Process created: C:\Users\user\Desktop\PfvmSWvg37.exe "C:\Users\user\Desktop\PfvmSWvg37.exe"
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe
Source: unknown Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe "C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 1144
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Jump to behavior
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe "C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Section loaded: advpack.dll Jump to behavior
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PfvmSWvg37.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: PfvmSWvg37.exe Static file information: File size 13898240 > 1048576
Source: PfvmSWvg37.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xd36200
Source: PfvmSWvg37.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PfvmSWvg37.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PfvmSWvg37.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PfvmSWvg37.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PfvmSWvg37.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PfvmSWvg37.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: PfvmSWvg37.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: PfvmSWvg37.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdbD source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Zmbunaafzj.pdb source: MSBuild.exe, 0000000A.00000002.3310327325.0000000004213000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3321253455.0000000005430000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3310327325.0000000003F2C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3308775930.0000000002D81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wextract.pdb source: PfvmSWvg37.exe
Source: Binary string: wextract.pdbGCTL source: PfvmSWvg37.exe
Source: Binary string: \??\C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: MSBuild.exe, 0000000A.00000002.3304886604.0000000001038000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb] source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: MSBuild.exe, 0000000A.00000002.3304717281.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb# source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: justleadership.exe, 00000002.00000002.2512740857.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, justleadership.exe, 00000002.00000002.2500456520.0000000004062000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000002.00000002.2500456520.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000002.00000002.2486410922.0000000003389000.00000004.00000800.00020000.00000000.sdmp, neverlocation.exe, 00000009.00000002.2973069664.0000000003E5A000.00000004.00000800.00020000.00000000.sdmp, neverlocation.exe, 00000009.00000002.2956118773.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: n0C:\Windows\MSBuild.pdb^t source: MSBuild.exe, 0000000A.00000002.3304717281.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: inaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: justleadership.exe, 00000002.00000002.2512740857.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, justleadership.exe, 00000002.00000002.2500456520.0000000004062000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000002.00000002.2500456520.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000002.00000002.2486410922.0000000003389000.00000004.00000800.00020000.00000000.sdmp, neverlocation.exe, 00000009.00000002.2973069664.0000000003E5A000.00000004.00000800.00020000.00000000.sdmp, neverlocation.exe, 00000009.00000002.2956118773.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: justleadership.exe, 00000002.00000002.2511609124.0000000006990000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\MSBuild.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: justleadership.exe, 00000002.00000002.2511609124.0000000006990000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbEVz source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbil& source: MSBuild.exe, 0000000A.00000002.3304886604.0000000001045000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\exe\MSBuild.pdb source: MSBuild.exe, 0000000A.00000002.3304717281.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000001038000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb(og source: MSBuild.exe, 0000000A.00000002.3304717281.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000001038000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000000A.00000002.3304886604.0000000001035000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3304717281.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 0000000A.00000002.3304717281.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbi source: MSBuild.exe, 0000000A.00000002.3304886604.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdblsh source: MSBuild.exe, 0000000A.00000002.3304886604.0000000001045000.00000004.00000020.00020000.00000000.sdmp
Source: PfvmSWvg37.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PfvmSWvg37.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PfvmSWvg37.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PfvmSWvg37.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PfvmSWvg37.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, Sdq9OaF91PgcsvZ1qVj.cs .Net Code: Type.GetTypeFromHandle(GEudGH2KGAjhApV2kvl.Hfg3NfQEBU(16777265)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GEudGH2KGAjhApV2kvl.Hfg3NfQEBU(16777259)),Type.GetTypeFromHandle(GEudGH2KGAjhApV2kvl.Hfg3NfQEBU(16777263))})
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, A2H1lUZ15GsIooGy4G.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{lNDh14VzBPs5x65LFgA(typeof(IntPtr).TypeHandle),typeof(Type)})
.NET source code contains potential unpacker
Source: justleadership.exe.0.dr, -.cs .Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: justleadership.exe.0.dr, Eutboveuhzm.cs .Net Code: _E003 System.AppDomain.Load(byte[])
Source: neverlocation.exe.0.dr, -.cs .Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: neverlocation.exe.0.dr, Jpgixskhd.cs .Net Code: _E003 System.AppDomain.Load(byte[])
Source: 2.2.justleadership.exe.6aa0000.9.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 2.2.justleadership.exe.6aa0000.9.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 2.2.justleadership.exe.6aa0000.9.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 2.2.justleadership.exe.6990000.8.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 2.2.justleadership.exe.6990000.8.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 2.2.justleadership.exe.6990000.8.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 2.2.justleadership.exe.6990000.8.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 2.2.justleadership.exe.6990000.8.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Yara detected Costura Assembly Loader
Source: Yara match File source: 2.2.justleadership.exe.6ba0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.neverlocation.exe.6970000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2513033660.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2956118773.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3003791960.0000000006970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2486410922.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: justleadership.exe PID: 6176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: neverlocation.exe PID: 7056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 4256, type: MEMORYSTR
Binary contains a suspicious time stamp
Source: PfvmSWvg37.exe Static PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_02EA4D1B push E4053963h; ret 2_2_02EA4D25
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06888F1F push es; retf 2_2_06888F20
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06884F7B push es; retf 2_2_06884F7C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_068D4F28 push eax; ret 2_2_068D4F29
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A135E2 push ecx; retf 2_2_06A135E3
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A15AA2 push es; retf 2_2_06A15B38
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A15A79 push es; retf 2_2_06A15A9C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A15B4A push es; ret 2_2_06A15B68
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A1599E push es; retf 2_2_06A159A4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06A93E29 pushfd ; ret 2_2_06A93E30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Code function: 2_2_06D068F5 push esi; retf 2_2_06D06907
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_00F44D1A push E4012363h; ret 9_2_00F44D25
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0666D662 push es; ret 9_2_0666D664
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_0666D5EE push ebp; iretd 9_2_0666D5FD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06667CE2 push es; ret 9_2_06667CEC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_068136F7 push es; ret 9_2_068136F8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06965F9D push es; retf 9_2_06965FA4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06965AD1 push es; ret 9_2_06965B50
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06965AFA push es; ret 9_2_06965B50
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06965BD3 push es; ret 9_2_06965D18
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A75A48 push es; iretd 9_2_06A75A68
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06A74BE0 push eax; ret 9_2_06A74BE1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Code function: 9_2_06C53DB3 pushad ; ret 9_2_06C53DB6
Source: 2.2.justleadership.exe.6770000.7.raw.unpack, oF4cRViQA2MnNFvgeQW.cs High entropy of concatenated method names: 'MwSig7cek5', 'tMbiEd0e2i69S1WbXMr', 'EWA7oL0NhByPdOfVTR3', 'VZWYnx0CiCsFJCsEql8', 'ESk32o0RWKp00dYMOli', 'RwkCBH0HYaSXDBxu9F0', 'LMSwnL042CNqRhIYMgo', 'HpDtFJ01bp6mHlcP4o8'
Source: 2.2.justleadership.exe.6770000.7.raw.unpack, U7h5sdBy6DKgXavfsmE.cs High entropy of concatenated method names: 'm1vB6jQraN', 'r04CLUL1xk81xh7ZbF7', 'IigsFiLee5y8bwaIUof', 'FfRGBPLNO1xqdVbUVJZ', 'lwEtO8LwNmfOW9IqiFi', 'YrNFZtL423s3Qiis2Kx', 'M9lqE1LskC8Llmcret3', 'bcqAdyLJQJdtKjnUcCW'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, url4dHBYRv4DinV2mxi.cs High entropy of concatenated method names: 'FToBudHHBO', 'QS0BhaWAyw', 'daNBfhJypC', 'AP4BThMdbg', 'Fl5Br9ra78', 'BOFBZ8fpP8', 's2KBXNYTTJ', 'CnpBjqolcY', 'o7VBDsKd72', 'NUaB81AYS2'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, AssemblyLoader.cs High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'U0ennNPk4THDRcVqk3W'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, RmXGCEYe833fceXaGLY.cs High entropy of concatenated method names: 'LcpYCOib37', 'eHCqTSyrsutwaDq6evY', 'Jd1D2byZL5My41Ql3u7', 'dMWA4SyXRnJr1mGBRQD', 'nVssCVyjhodYc7btY9Q', 'zePYJByD6nXCoGG2Oiq', 'ITG0bry81yZAwJ1HlF6', 'Am2H1lyUP0Fcy4FC6R1', 'eUfI7CyE3PMMRTj1kMf', 'WrsZWVyTgjy8woVc5rR'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, mCTrEn2z2fhB72SJbcF.cs High entropy of concatenated method names: 'z2FZtDbGNR', 'uLOZ5JpE7H', 'toSZlp2NC7', 'raVZx4x8Wx', 'sMCZ0s3h9R', 'Gx2ZQrKMAl', 'lHvZLWxpSU', 'N0ehdm8jf6', 'DRsZgU5Y2b', 'MJUZKwyQ7m'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, RjIvudFr6Fj3bWrFWjZ.cs High entropy of concatenated method names: 'urgFXhYqML', 'WToFjNUokq', 'usgcvtywqGTelLrfZN1', 'VoWZ0Cy4kcmf3vLRsYH', 'nH791RyOEmGc1yMjjWR', 'C0OEVnykcGlR3ldyOM6', 'rMGq2Ay1b4wr8T80lou', 'JKYFTeyeSIy3sMD2NGe', 'V6aQBTyNJn0EYd44TBb', 'vLlB9oyC0eHvOSgQ6bZ'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, K5lXLQYbpPLs7Cy7sZ5.cs High entropy of concatenated method names: 'HY5YMJJ5er', 'IOtyr1KM3AsTRqBMKqV', 'jvmqn9K6dhsHlDYEegF', 'JaFRCEKmdU3qMnX49wG', 'PR0MI5K35eP4eq9stw6', 'M7pGnIKWxvKtmEQ7nwU', 'tr2TNMKpdiApgcdAWQC', 'TgLQs1KbJXCmh6ibZ47', 'cr88jbKo6bRwX0eS8jJ'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, FQqLQOYvo9K7kMZ7dEH.cs High entropy of concatenated method names: 'EwaYkGYqMt', 'vlVOrcKHPaC4PJumIBk', 'xNwpy3KzDeiLgZmfv8u', 'ofusQoyGbNs8rQ2IHvc', 'AhTkBJyArJQj8vRVyba', 'irtVpIyVPHc1R9sogIv', 'xhCpfgyqRo7vrT2VKOL', 'HnrHvPy7gnCn1agivpt', 'YN301ayijlWW2axOSqi', 'WUsYOcyBJSVcLCMaiDH'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, UVyr1uUeGgqQycKKbb.cs High entropy of concatenated method names: 'sE2t85lsK', 'Jhr5Cby6x', 'Jf9x9lXnW', 'dJxluROf3', 'GrwIFmxidWw82L5HP0i', 'jPBlh7xByJN60mY39PW', 'rYyDIaxIBX2pOsLutlk', 'aJ8AEdxcDTl8RDTHlrE', 'qlo7TgxYrjrWUddf06A', 'lR8wBLxq8ZSfrKWsMGN'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, oF4cRViQA2MnNFvgeQW.cs High entropy of concatenated method names: 'MwSig7cek5', 'tMbiEd0e2i69S1WbXMr', 'EWA7oL0NhByPdOfVTR3', 'VZWYnx0CiCsFJCsEql8', 'ESk32o0RWKp00dYMOli', 'RwkCBH0HYaSXDBxu9F0', 'LMSwnL042CNqRhIYMgo', 'HpDtFJ01bp6mHlcP4o8'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, JBMOeuYRYHJniwiOAbg.cs High entropy of concatenated method names: 'e4dYzIvRyZ', 'QbjFAHVcaE', 'msoFGu3HyF', 'inYyl7ylB7VMFJwCfa8', 'CNoSS9ytQG4qeZKyr7T', 'Mko42Vy5mQWKVuYBy5e', 'Ev3ZqsyxT1kfBVJIQQM', 'cIDs0Ty0cHnQg6jROFc'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, P2NQ5phXim7fiptqdX.cs High entropy of concatenated method names: 'YDlESIE8d', 'OYcTnsfwA', 'rjoZ6gSog', 'AF3X3GrOa', 'euUf8BYNF', 'jgmOPrleo1d08c4C0IO', 'fVJteFlNUqAK0951DNu', 'cccYYylCZVsB5gku9pT', 'LJVD59lR8XYAblLfDSS', 'beGnkQlHSnp1dpQ4hhU'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, uN1Y14iMJqSiYBGmnt7.cs High entropy of concatenated method names: 'Kaoim8YcYD', 'ShMi3fdELB', 'JbTiWt7X5y', 'j2IGiXQmrsJfY4cvf1V', 'fLimbjQ34wRQkpZPpN8', 'KJMqIrQMuCVkUuA12WI', 'FOhA1rQ6NBi2YZUQnhM', 'rv35qNQWNUPmA5dfAuu', 'R8UU6LQpYyqdo3eqhSa', 'syRiq3QsZ908BfSkFou'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, Sdq9OaF91PgcsvZ1qVj.cs High entropy of concatenated method names: 'cngabyayfPMq8GFSA3o', 'ARvuNfaPmsvuxo4NpAM', 'afi22EGM6x', 'R8L9pLaoGZkiwrw0gg6', 'RE9ubNaMrp9Z50pKV1C', 'SCt9Ida68Dc2B8FahQx', 'QM2A04amWLbL9KlRE1E', 'oF9xdla3PxJdiJifS4J', 'xHFrLkaWSpX8AxrUtdK', 'nBHO2yapcJhhYYq3iKH'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, tutioMi5rSsHCFM8roS.cs High entropy of concatenated method names: 'Oo9ixsYquO', 'ayqi01DrS9', 'X9V57y0nSpKGVqtbXHl', 'XDffTQ0s98pUBf8HFp2', 'MQLCdm0J6T1o48ZaEPD', 'ckUFt30vLILGrmb2AVR', 'Iv1WV70OLULRiyTtyiP', 'aKRJ6x0kfnkrv96dveM'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, U7h5sdBy6DKgXavfsmE.cs High entropy of concatenated method names: 'm1vB6jQraN', 'r04CLUL1xk81xh7ZbF7', 'IigsFiLee5y8bwaIUof', 'FfRGBPLNO1xqdVbUVJZ', 'lwEtO8LwNmfOW9IqiFi', 'YrNFZtL423s3Qiis2Kx', 'M9lqE1LskC8Llmcret3', 'bcqAdyLJQJdtKjnUcCW'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, yYDlN32bGE2YDaEeKnk.cs High entropy of concatenated method names: 'AID2O5gP53', 'cxD2kM9Z9B', 'e5N2wlCIlL', 'lDY241hWvv', 's8M21bkLnZ', 'f8X2e2GvR6', 'HiM2NWNWIF', 'Goq2C1HM14', 'mdj2R5mrrE', 'sWG2HElo04'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, cqVKKxYyN45AjLfeK2Z.cs High entropy of concatenated method names: 'XSGYaFNMag', 'dTwY9vllC5', 'Yix4q7Ku0Lw3M6ugGIU', 'PEOxi3K2x5Pl0OKo4xp', 'CjXZkaKh0LfQWbLM1Mc', 'WBCUqkKSU4LIb1fiYYW', 'ugYT47KfuJPdL6pSyUZ', 'cRL9IWKERYAFKmZin22', 'sidBQ8KTL0SRhK9wSFa', 'yXrNNEKrhwt9MbUZuL1'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, jIlhxliK9NnMpvvFoHZ.cs High entropy of concatenated method names: 'MK8iPcjDUS', 'oqqia2CUAd', 'Ikxi9oZC4D', 'qloibwPl9S', 'UyEio8443P', 'HrRHG8QVtjvjsT35riG', 'X73DGFQqXZjKw7srj9T', 'iFF6YNQ7eJovTeeTjxH', 'HOn2P9QiwMrPFgM6Lr6', 'FPS1nIQB6oSEn8v1BTG'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, dvkauUYtyHA3eecX0hi.cs High entropy of concatenated method names: 'NmHYlyoXRi', 'AFOFbDgwTWKoMioonYX', 'Rwel1ag4BfHyb5BbS7N', 'g9gxCRg1PPaw7YKLFOS', 'wBr6ypger1yRjrMB0sC', 'SpeUqKgN7KQj1sxNJ34', 'cJTjJFgCsYESYTdQdgD', 'FvPfP0gR5Ma5U5bPTfM', 'fPgaHqgO8xysRmtVUwn', 'b3IZcAgk5B19TpMvJJs'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, dtKME3FDc6j3rDD0TG0.cs High entropy of concatenated method names: 'pc4FULwDvx', 'e9PAW8PSefImhjop0qt', 'B638lsPfwmqb9I9lkdV', 'KZvLcZPECSfI2GgZcug', 'Kxd6KAPTHZxKymY8TOU', 'Aue5KxPrFGEik7M8PnG', 'OqOlEPPZ55Ekqe8MG75', 'UhLNtBPXLHj5ZqHwtOx', 'BrykBcP2cpPiIoHE7my', 'XQGLsGPh0TiaWh2BqnI'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, mjkG0pFKuWb2elvhQh0.cs High entropy of concatenated method names: 'XDO34GkTR9', 'eiyo0aadkgQg7BB8xBq', 'G16Ll6atElV7StEqhwV', 'Fl6ZDDa5nrKoBedxD46', 'Go7JI0alMQbyxC1G1sQ', 'F0ftdYa8qOf61QyjtSB', 'iqwjykaUmX0hRoX9QQb', 'U3rTcwaxAoOJAS0d1QO', 'Yd0eOna04LSAbKbNDEM'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, LnXMW5YLnd99XKi9u9o.cs High entropy of concatenated method names: 'aNsYKueKqc', 'nBEs2JK7PZfSOIaB1FG', 'kFjTZfKiwa1FZBe4dY3', 'kFpbgZKBhIo7kUNCdU7', 'jiS78HKImlTNQn7bwWf', 'JAYXT7Kc9DVwHIlYJPN', 'NxtUBnKYC2ZMruDAWxb', 'Vc2wKjKV9MwS6YyGQt3', 'xPV9H2KqLRXq0Wv4Y06'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, nHVKcaVt2psstHNjQvx.cs High entropy of concatenated method names: 'KYnVlt5WWo', 'Ix5K5FxMc6PhVD7bBRY', 'IoBqMTx6RtCRifPXPGh', 'RdRxqFxmyqhVMgerTEH', 'XUDkrax3xSILQ9uMKt3', 'B1ScObxWyhxrvN6qtkD', 'GvdIO0xpLKUe0TGUJ2t', 'Y048I4xspN9NyTdYOwo', 'd3GAqrxJZMPKCWXt1dH', 'lBMEgYxn9QV2gmGXccp'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, bwvNQaFd072Hc2YmXnF.cs High entropy of concatenated method names: 'gtlF5usUP6', 'JNWFlX3dfs', 'e2sJFvPUIIGhx6GfKOq', 'jPoUChPdPd3Ood2PbY0', 'kJ10EmPtgyf4w4ofWrY', 'lcaY1SPDdvv37scy1N8', 'BIPUfqP8OWt1kr3qdmU', 'KnKyhwP53tuGyPthV3H', 'nr9lNHPlYEexcicISrj', 'msyPg9PxeOl3rRRtfCE'
Source: 2.2.justleadership.exe.42ea250.3.raw.unpack, BQX11lY6oX7kEem0G3x.cs High entropy of concatenated method names: 'GKFYp2IpK5', 'GmkYsrMZI0', 'Ql4Y3xB5lY', 'dMSYW6lZkk', 'ljCumkKvrW2WJlr5XGU', 'h6TrcMKO7iCTVSWb2cd', 'Mf8MBtKkBJTFnvI7xT4', 'l56D0PKw2EAH1OuwBHQ', 'jijrL0K4NVPotL1hPDp', 'vgCcqXK1O3ZNlnqv9iA'
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, Form1.cs High entropy of concatenated method names: '_003CReadLine_003Eb__2_0', 'GFjiBXfEWlJLUyVmqSe', 'T4Tg8kfLlE7agwrTJ7g', 'k6Kf1Cf8dpXcXagRkqw', 'Form1_Load', 'ReadLine', 'Dispose', 'InitializeComponent', 'phaBoiiTME4u6DN0b9q', 'fee10niQexcRa90hyk8'
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, FieldRoot20.cs High entropy of concatenated method names: 'Field1', 'Field5', 'Field2', 'Field3', 'Field4', 'Key4Database', 'Key3Database', 'XMiVT3vpMvuDli8hnNG', 'nA89tOv6CQsjAqwEAoI', 'YgDQWdvA6WpK3OIm9k1'
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, FieldRootReaderSql.cs High entropy of concatenated method names: '_003C_002Ector_003Eb__9_0', 'ggfgI3fFQUxjV5Uuun2', 'Un1E7WfYOilyKSxWdQK', 'CZKk85fgTIBg75DF2VT', 'GatherValue', 'ReadMasterOfContext', 'ReadContextTable', 'GetOffset', 'ReadContextValue', 'ConvertToULong'
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, SystemInfoHelper.cs High entropy of concatenated method names: '_003CCloseBrowser_003Eb__1', 'YpLLqnf7d74PH5fTwjI', 'JENsrXfrhNgGmKjQAZ6', 'ShowMessage', 'CloseBrowser', 'Add', 'GetProcessors', 'GetGraphicCards', 'GetBrowsers', 'GetSerialNumber'
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, DeviceMonitor.cs High entropy of concatenated method names: 'CaptureScreen', 'CaptureWindow', 'MonitorSize', 'GetImageBase', 'ConvertToBytes', 'qcco4JxjRluK7dx5KIE', 'QXFJCNxsiyMiwbPF6B9', 'upqSvtxeLYopCo7kAHy', 'v0lgWRx3UuMx4ZIIIce', 'PrsakNxOuNm1YsZ98xf'
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, FieldRootRoot.cs High entropy of concatenated method names: 'Field1', 'fvxWhtvM6smRoQaX8h4', 'WOPFuTvtA2RsXWscaf4', 'OoFmrbvD8oIA7pSCiqZ', 'EAFxlfvbtotX3xiEn36', 'ybIGFQvKYmL8X5sEpLe', 'fBau7Pv0UH8MiDVcAkn', 'vyHrJWv4ZQblABJkjwS'
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, BerkeleyDB.cs High entropy of concatenated method names: 'Extract', 'OWGTxfiGADBOjeCPJXi', 'NnVbSBiSEgx4FBlJn6j', 'r0wNbeiIPp1CMloHhF5', 'PH2UmliN7dRsbgy1Rq7', 'mCfheNiJINe3lAmJvkG', 'BlYXiqiEyExBK0a5gtt'
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, TripleDes.cs High entropy of concatenated method names: 'ComputeVoid', 'Compute', 'DecryptStringDesCbc', 'DecryptByteDesCbc', 'BmPLjZU7kDwrFWuBjFW', 'mKx3wjUrvJP3pwF7UPd', 'eYDPryU1GaEQyfDKHuf', 'lpKoZgUzSpTtTbMGeyu', 'gtYJE7xkmQaFGNPaEuJ', 'x5kf6Sxp6wbbPlXdJp9'
Source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, A2H1lUZ15GsIooGy4G.cs High entropy of concatenated method names: 'oQmRVv03YssZJBxr5QS', 'S0SnIW0O1NRvUlPLFud', 'LtQPyoxJn7', 'HQS2wQ0xVBb0YkPSIuY', 'lYGhRw0qkaIy2ee5RE5', 'LSOkeC0R3MevMVYWg6x', 'g38PJ8K3c0', 'AZCPHbxqQi', 'kjCPpoa2Hi', 'zssPO0JXVk'
Drops PE files
Source: C:\Users\user\Desktop\PfvmSWvg37.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Jump to dropped file
Source: C:\Users\user\Desktop\PfvmSWvg37.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe File created: C:\Users\user\AppData\Local\cvchost.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cvchost Jump to behavior
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cvchost Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cvchost Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: justleadership.exe PID: 6176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: neverlocation.exe PID: 7056, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: justleadership.exe, 00000002.00000002.2486410922.0000000003389000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: justleadership.exe, 00000002.00000002.2486410922.0000000003389000.00000004.00000800.00020000.00000000.sdmp, justleadership.exe, 00000002.00000002.2486410922.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, neverlocation.exe, 00000009.00000002.2956118773.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp, neverlocation.exe, 00000009.00000002.2956118773.0000000003133000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: justleadership.exe, 00000006.00000002.2515892248.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE@\]Q
Source: justleadership.exe, 00000006.00000002.2515892248.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE`,]Q
Source: justleadership.exe, 00000006.00000002.2515892248.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE
Source: justleadership.exe, 00000002.00000002.2486410922.0000000003389000.00000004.00000800.00020000.00000000.sdmp, neverlocation.exe, 00000009.00000002.2956118773.0000000003133000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL@\]Q
Source: justleadership.exe, 00000002.00000002.2486410922.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, neverlocation.exe, 00000009.00000002.2956118773.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: EXPLORERJSBIEDLL.DLLKCUCKOOMON.DLLLWIN32_PROCESS.HANDLE='{0}'MPARENTPROCESSIDNCMDOSELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREPVERSIONQSERIALNUMBERSVMWARE|VIRTUAL|A M I|XENTSELECT * FROM WIN32_COMPUTERSYSTEMUMANUFACTURERVMODELWMICROSOFT|VMWARE|VIRTUALXJOHNYANNAZXXXXXXXX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Memory allocated: 2CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Memory allocated: 2EF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Memory allocated: 2CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Memory allocated: 2C40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Memory allocated: 2C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Memory allocated: 4C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Memory allocated: F40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Memory allocated: 2B90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Memory allocated: 4B90000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2BF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2D80000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 4D80000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe TID: 2928 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe TID: 2928 Thread sleep time: -38961s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe TID: 5692 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe TID: 6552 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe TID: 6552 Thread sleep time: -38961s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: neverlocation.exe, 00000009.00000002.2956118773.0000000003133000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware\V
Source: neverlocation.exe, 00000009.00000002.2956118773.0000000003133000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q 1:en-CH:VMware|VIRTUAL|A M I|Xen
Source: neverlocation.exe, 00000009.00000002.2956118773.0000000003133000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: sVSCA2uakw9eOsV HubGwkgk@\]q0Microsoft|VMWare|V<Z
Source: neverlocation.exe, 00000009.00000002.2956118773.0000000003133000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q 1:en-CH:Microsoft|VMWare|Virtual
Source: justleadership.exe, 00000002.00000002.2486410922.0000000003389000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: sVSCA2uakw9eOsV HubGwkgk@\]q0Microsoft|VMWare|V<bT
Source: neverlocation.exe, 00000009.00000002.2956118773.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: justleadership.exe, 00000006.00000002.2515892248.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe`,]q
Source: neverlocation.exe, 00000009.00000002.3005816412.0000000006F21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3302794471.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: qEMUb2
Source: justleadership.exe, 00000006.00000002.2515892248.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe
Source: neverlocation.exe, 00000009.00000002.2956118773.0000000003133000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwareLR]q
Source: neverlocation.exe, 00000009.00000002.2956118773.0000000003133000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MXR6R RZD59RK9V5@\]q0VMware|VIRTUAL|A M<
Source: justleadership.exe, 00000002.00000002.2486410922.0000000003389000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwareLR]q\z:
Source: justleadership.exe, 00000006.00000002.2515892248.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe@\]q
Source: neverlocation.exe, 00000009.00000002.2956118773.0000000003133000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen@\]q
Source: neverlocation.exe, 00000009.00000002.2956118773.0000000003133000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWareLR]q
Source: neverlocation.exe, 00000009.00000002.2956118773.0000000003133000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual
Source: neverlocation.exe, 00000009.00000002.2956118773.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen(_]q
Source: neverlocation.exe, 00000009.00000002.2956118773.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: explorerJSbieDll.dllKcuckoomon.dllLwin32_process.handle='{0}'MParentProcessIdNcmdOselect * from Win32_BIOS8Unexpected WMI query failurePversionQSerialNumberSVMware|VIRTUAL|A M I|XenTselect * from Win32_ComputerSystemUmanufacturerVmodelWMicrosoft|VMWare|VirtualXjohnYannaZxxxxxxxx
Source: neverlocation.exe, 00000009.00000002.2952305883.0000000001021000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: justleadership.exe, 00000002.00000002.2486410922.0000000002F29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q 1:en-CH:VMware|VIRTUAL|A M I|Xen
Source: justleadership.exe, 00000002.00000002.2485855344.0000000001212000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Memory written: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe base: D60000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4B8000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4BA000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: DE4008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe "C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\modern.fon VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\roman.fon VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\script.fon VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\coure.fon VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\courf.fon VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\serife.fon VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\seriff.fon VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\sserife.fon VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\sseriff.fon VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GILLUBCD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GILSANUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\neverlocation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PfvmSWvg37.exe Code function: 0_2_00007FF7B76B8964 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 0_2_00007FF7B76B8964
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\justleadership.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 6.2.justleadership.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.justleadership.exe.41cdc50.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2512252998.0000000000D62000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2500456520.000000000419A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: Process Memory Space: justleadership.exe PID: 6412, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 6.2.justleadership.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.justleadership.exe.41cdc50.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 6.2.justleadership.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.justleadership.exe.41cdc50.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2512252998.0000000000D62000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2500456520.000000000419A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: Process Memory Space: justleadership.exe PID: 6412, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 6.2.justleadership.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.justleadership.exe.41cdc50.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.justleadership.exe.41cdc50.2.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1534828 Sample: PfvmSWvg37.exe Startdate: 16/10/2024 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for dropped file 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 14 other signatures 2->44 8 PfvmSWvg37.exe 1 4 2->8         started        12 rundll32.exe 2->12         started        process3 file4 30 C:\Users\user\AppData\...\neverlocation.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\...\justleadership.exe, PE32 8->32 dropped 48 Creates multiple autostart registry keys 8->48 14 neverlocation.exe 15 3 8->14         started        18 justleadership.exe 15 2 8->18         started        signatures5 process6 dnsIp7 34 C:\Users\user\AppData\Local\cvchost.exe, PE32 14->34 dropped 50 Antivirus detection for dropped file 14->50 52 Multi AV Scanner detection for dropped file 14->52 54 Machine Learning detection for dropped file 14->54 60 2 other signatures 14->60 21 MSBuild.exe 2 14->21         started        36 91.208.206.5, 49704, 49874, 80 ALEXHOSTMD unknown 18->36 56 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->56 58 Injects a PE file into a foreign processes 18->58 23 justleadership.exe 4 18->23         started        file8 signatures9 process10 signatures11 26 WerFault.exe 4 21->26         started        46 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->46 28 conhost.exe 23->28         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.208.206.5
 unknown unknown
200019 ALEXHOSTMD false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://91.208.206.5/mime/Fwkbz.pdf true
    		unknown
    http://91.208.206.5/mime/Wilouqva.mp4 true
      		unknown