Windows Analysis Report
CswRsjV3kH.exe

Overview

General Information

Sample name:	CswRsjV3kH.exe renamed because original name is a hash value
Original sample name:	3E6CD9723E292652064FC1A06D75CBE4.exe
Analysis ID:	1429015
MD5:	3e6cd9723e292652064fc1a06d75cbe4
SHA1:	f1f8ab71fa3dd76b0491c4b5133fdeb2f9fae162
SHA256:	9172b16ccd9506d70f0ef99e07853e683f700a0b79f83dfa6a121abf97ec48cd
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

.NET source code contains very large array initializations

Hides threads from debuggers

Installs new ROOT certificates

Machine Learning detection for sample

PE file has nameless sections

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Detected potential crypto function

Drops certificate files (DER)

Enables debug privileges

Enables security privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: CswRsjV3kH.exe	ReversingLabs: Detection: 50%
Source: CswRsjV3kH.exe	Virustotal: Detection: 36%			Perma Link

Machine Learning detection for sample

Source: CswRsjV3kH.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: CswRsjV3kH.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:

Binary string: _.pdb source: CswRsjV3kH.exe, 00000000.00000002.1685662213.000000000565E000.00000004.08000000.00040000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000002.1680722858.0000000003137000.00000004.00000800.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1639408489.00000000055CD000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000002.1685108688.0000000004423000.00000004.00000800.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		0_2_05698254
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		0_2_05699ED9

Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.0000000003451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $tq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\tq equals www.youtube.com (Youtube)
Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $tq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\|- equals www.youtube.com (Youtube)
Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.0000000003451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.0000000003451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\tq equals www.youtube.com (Youtube)
Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.0000000003451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,tq equals www.youtube.com (Youtube)
Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.0000000003451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `,tq#www.youtube.com_0.indexeddb.le equals www.youtube.com (Youtube)

Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: CswRsjV3kH.exe, 00000000.00000003.1664654420.0000000006225000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664764436.0000000006225000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664462458.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664434642.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: CswRsjV3kH.exe, 00000000.00000003.1654236666.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654472364.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654764234.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657195062.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1658370268.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655846532.00000000061F5000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1658538269.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654699594.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655527565.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1658182658.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657286178.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657632244.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654887659.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654011505.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657918553.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1653941163.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654388886.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657376337.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654625721.0000000006202000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: CswRsjV3kH.exe, 00000000.00000003.1654159342.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654236666.0000000006202000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: CswRsjV3kH.exe, 00000000.00000003.1653867572.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1653674845.0000000006201000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comfac
Source: CswRsjV3kH.exe, 00000000.00000003.1653867572.0000000006202000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comint
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: CswRsjV3kH.exe, 00000000.00000003.1654998784.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654832344.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654472364.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654764234.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654699594.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654309116.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654887659.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654388886.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654625721.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655063802.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654550278.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654944132.0000000006202000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: CswRsjV3kH.exe, 00000000.00000003.1653867572.0000000006202000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comncy
Source: CswRsjV3kH.exe, 00000000.00000003.1654998784.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654832344.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654764234.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654887659.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655063802.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654944132.0000000006202000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comoldbsKCt
Source: CswRsjV3kH.exe, 00000000.00000003.1654998784.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654832344.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654764234.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654699594.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654887659.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654625721.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655063802.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654550278.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654944132.0000000006202000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comubh
Source: CswRsjV3kH.exe, 00000000.00000002.1679039317.000000000050B000.00000040.00000001.01000000.00000003.sdmp, CswRsjV3kH.exe, 00000000.00000002.1679039317.000000000066C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.enigmaprotector.com/
Source: CswRsjV3kH.exe, 00000000.00000002.1679039317.000000000050B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.enigmaprotector.com/openU
Source: CswRsjV3kH.exe, 00000000.00000003.1659824764.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664081319.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: CswRsjV3kH.exe, 00000000.00000003.1659428876.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: CswRsjV3kH.exe, 00000000.00000003.1659325114.0000000006227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: CswRsjV3kH.exe, 00000000.00000003.1659356967.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659428876.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/.
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: CswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: CswRsjV3kH.exe, 00000000.00000003.1663935993.0000000006225000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html.
Source: CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers0
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: CswRsjV3kH.exe, 00000000.00000003.1657068872.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/jp/
Source: CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/jp/ExKC
Source: CswRsjV3kH.exe, 00000000.00000003.1657068872.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657452652.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657195062.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657286178.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657632244.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657376337.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657543806.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/oy
Source: CswRsjV3kH.exe, 00000000.00000003.1657068872.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com0X
Source: CswRsjV3kH.exe, 00000000.00000003.1659428876.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF5y
Source: CswRsjV3kH.exe, 00000000.00000003.1659356967.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comaExKC
Source: CswRsjV3kH.exe, 00000000.00000003.1659356967.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: CswRsjV3kH.exe, 00000000.00000003.1660548876.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660233223.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659750310.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660459235.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660372621.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659824764.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comas
Source: CswRsjV3kH.exe, 00000000.00000003.1660645580.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660548876.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660233223.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659575709.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659750310.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660459235.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659499318.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660372621.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659642404.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659824764.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgritoty
Source: CswRsjV3kH.exe, 00000000.00000003.1660645580.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660548876.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660233223.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659750310.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660459235.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660372621.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659824764.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comivta
Source: CswRsjV3kH.exe, 00000000.00000003.1664306645.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1663965051.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664081319.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comoldooy
Source: CswRsjV3kH.exe, 00000000.00000003.1664306645.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1663965051.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664434642.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664081319.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comu
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: CswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: CswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/oy
Source: CswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/qmwB-
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: CswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm)u
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657918553.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657376337.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1658010386.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657543806.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: CswRsjV3kH.exe, 00000000.00000003.1657068872.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656151119.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655846532.00000000061F5000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655527565.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//rdNxPCa
Source: CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/1
Source: CswRsjV3kH.exe, 00000000.00000003.1656151119.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655846532.00000000061F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/5y
Source: CswRsjV3kH.exe, 00000000.00000003.1656151119.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655527565.00000000061F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ExKC
Source: CswRsjV3kH.exe, 00000000.00000003.1656151119.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Kurs
Source: CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657918553.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657376337.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1658010386.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657543806.00000000061FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/ExKC
Source: CswRsjV3kH.exe, 00000000.00000003.1655846532.00000000061F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/oy
Source: CswRsjV3kH.exe, 00000000.00000003.1656151119.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655527565.00000000061F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/oy
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1653760373.0000000006208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: CswRsjV3kH.exe, 00000000.00000003.1653507227.0000000006208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnS
Source: CswRsjV3kH.exe, 00000000.00000003.1653507227.0000000006208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cns
Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.000000000341C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.000000000341C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/

Installs a raw input device (often for capturing keystrokes)

Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000035E3000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_dc51b542-f

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: CswRsjV3kH.exe PID: 7536, type: MEMORYSTR

Drops certificate files (DER)

Source: C:\Users\user\Desktop\CswRsjV3kH.exe	File created: C:\Users\user\AppData\Local\Temp\TmpDBE7.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	File created: C:\Users\user\AppData\Local\Temp\TmpDBC7.tmp			Jump to dropped file

System Summary

.NET source code contains very large array initializations

Source: 0.2.CswRsjV3kH.exe.30c9f16.3.raw.unpack, Strings.cs	Large array initialization: Strings: array initializer size 6160
Source: 0.2.CswRsjV3kH.exe.5da0000.9.raw.unpack, Strings.cs	Large array initialization: Strings: array initializer size 6160
Source: 0.2.CswRsjV3kH.exe.443f790.6.raw.unpack, Strings.cs	Large array initialization: Strings: array initializer size 6160
Source: 0.2.CswRsjV3kH.exe.43b6458.5.raw.unpack, Strings.cs	Large array initialization: Strings: array initializer size 6160
Source: 0.2.CswRsjV3kH.exe.55f0ee8.8.raw.unpack, Strings.cs	Large array initialization: Strings: array initializer size 6160
Source: 0.3.CswRsjV3kH.exe.555ff08.0.raw.unpack, Strings.cs	Large array initialization: Strings: array initializer size 6160

PE file has nameless sections

Source: CswRsjV3kH.exe	Static PE information: section name:
Source: CswRsjV3kH.exe	Static PE information: section name:
Source: CswRsjV3kH.exe	Static PE information: section name:
Source: CswRsjV3kH.exe	Static PE information: section name:
Source: CswRsjV3kH.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_0320B040	0_2_0320B040
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_056970A8	0_2_056970A8
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_05697098	0_2_05697098
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_0569509C	0_2_0569509C
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_072EA29C	0_2_072EA29C
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_072E8028	0_2_072E8028
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_072E3AFC	0_2_072E3AFC
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_072E44B9	0_2_072E44B9
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_09348198	0_2_09348198
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_093489B8	0_2_093489B8

Enables security privileges

Source: C:\Users\user\Desktop\CswRsjV3kH.exe

Process token adjusted: Security

Source: CswRsjV3kH.exe, 00000000.00000002.1685894112.0000000005E0D000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
Source: CswRsjV3kH.exe, 00000000.00000003.1673844031.0000000004783000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
Source: CswRsjV3kH.exe, 00000000.00000003.1673844031.0000000004551000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
Source: CswRsjV3kH.exe, 00000000.00000003.1638897189.0000000000B78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs CswRsjV3kH.exe
Source: CswRsjV3kH.exe, 00000000.00000002.1685662213.000000000565E000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
Source: CswRsjV3kH.exe, 00000000.00000002.1685662213.000000000565E000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs CswRsjV3kH.exe
Source: CswRsjV3kH.exe, 00000000.00000002.1680722858.0000000003137000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
Source: CswRsjV3kH.exe, 00000000.00000002.1680722858.0000000003137000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs CswRsjV3kH.exe
Source: CswRsjV3kH.exe, 00000000.00000003.1639408489.00000000055CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
Source: CswRsjV3kH.exe, 00000000.00000003.1639408489.00000000055CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs CswRsjV3kH.exe
Source: CswRsjV3kH.exe, 00000000.00000002.1685108688.00000000044AC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
Source: CswRsjV3kH.exe, 00000000.00000000.1634992563.00000000004EF000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
Source: CswRsjV3kH.exe, 00000000.00000002.1685108688.0000000004423000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
Source: CswRsjV3kH.exe, 00000000.00000002.1685108688.0000000004423000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs CswRsjV3kH.exe
Source: CswRsjV3kH.exe, 00000000.00000002.1678970760.00000000004EF000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
Source: CswRsjV3kH.exe	Binary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe

Source: CswRsjV3kH.exe	Static PE information: Section: ZLIB complexity 0.9938467920353983
Source: CswRsjV3kH.exe	Static PE information: Section: ZLIB complexity 0.9993669519472361
Source: CswRsjV3kH.exe	Static PE information: Section: .data ZLIB complexity 0.9971359185710352

Source: 0.2.CswRsjV3kH.exe.30c9f16.3.raw.unpack, PBE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CswRsjV3kH.exe.30c9f16.3.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.CswRsjV3kH.exe.5da0000.9.raw.unpack, PBE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CswRsjV3kH.exe.5da0000.9.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.CswRsjV3kH.exe.443f790.6.raw.unpack, PBE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CswRsjV3kH.exe.443f790.6.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.CswRsjV3kH.exe.43b6458.5.raw.unpack, PBE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CswRsjV3kH.exe.43b6458.5.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.CswRsjV3kH.exe.55f0ee8.8.raw.unpack, PBE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CswRsjV3kH.exe.55f0ee8.8.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.CswRsjV3kH.exe.555ff08.0.raw.unpack, PBE.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.CswRsjV3kH.exe.30c9f16.3.raw.unpack, Strings.cs	Base64 encoded string: 'JjgkEDEHHhMUBAJXMC4rVyBfOFYoWyA1Gl8jUgcxIC0XXRoQNFkWFgwrAisxWRYiEF44DytbDVUhFV5a'
Source: 0.2.CswRsjV3kH.exe.5da0000.9.raw.unpack, Strings.cs	Base64 encoded string: 'JjgkEDEHHhMUBAJXMC4rVyBfOFYoWyA1Gl8jUgcxIC0XXRoQNFkWFgwrAisxWRYiEF44DytbDVUhFV5a'
Source: 0.2.CswRsjV3kH.exe.443f790.6.raw.unpack, Strings.cs	Base64 encoded string: 'JjgkEDEHHhMUBAJXMC4rVyBfOFYoWyA1Gl8jUgcxIC0XXRoQNFkWFgwrAisxWRYiEF44DytbDVUhFV5a'
Source: 0.2.CswRsjV3kH.exe.43b6458.5.raw.unpack, Strings.cs	Base64 encoded string: 'JjgkEDEHHhMUBAJXMC4rVyBfOFYoWyA1Gl8jUgcxIC0XXRoQNFkWFgwrAisxWRYiEF44DytbDVUhFV5a'
Source: 0.2.CswRsjV3kH.exe.55f0ee8.8.raw.unpack, Strings.cs	Base64 encoded string: 'JjgkEDEHHhMUBAJXMC4rVyBfOFYoWyA1Gl8jUgcxIC0XXRoQNFkWFgwrAisxWRYiEF44DytbDVUhFV5a'
Source: 0.3.CswRsjV3kH.exe.555ff08.0.raw.unpack, Strings.cs	Base64 encoded string: 'JjgkEDEHHhMUBAJXMC4rVyBfOFYoWyA1Gl8jUgcxIC0XXRoQNFkWFgwrAisxWRYiEF44DytbDVUhFV5a'

Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03

Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CswRsjV3kH.exe "C:\Users\user\Desktop\CswRsjV3kH.exe"
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Section loaded: linkinfo.dll	Jump to behavior

Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_005133EA push 00513418h; ret	0_2_00513410
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_005243A0 push 00524400h; ret	0_2_005243F8
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_00524456 push 005245A4h; ret	0_2_0052459C
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_00525454 push 005254A1h; ret	0_2_00525499
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_0051345C push 00513488h; ret	0_2_00513480
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_00513424 push 00513450h; ret	0_2_00513448
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_005134F8 push 0051352Ch; ret	0_2_00513524
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_00513494 push 005134C0h; ret	0_2_005134B8
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_00523536 push 005235B5h; ret	0_2_005235AD
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_005115F0 push 00511641h; ret	0_2_00511639
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_0052262C push 005226A2h; ret	0_2_0052269A
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_0051B6DA push 0051B74Bh; ret	0_2_0051B743
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_00524684 push ecx; mov dword ptr [esp], ecx	0_2_00524687
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_005226A4 push 0052274Ch; ret	0_2_00522744
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_0052274E push 0052279Ch; ret	0_2_00522794
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_0051B85E push 0051B88Ch; ret	0_2_0051B884
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_00523804 push 00523830h; ret	0_2_00523828
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_005248F4 push ecx; mov dword ptr [esp], ecx	0_2_005248F6
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_005118AA push 005118D8h; ret	0_2_005118D0
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_00511968 push 00511994h; ret	0_2_0051198C
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_00512A48 push ecx; mov dword ptr [esp], eax	0_2_00512A49
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_00512CF2 push 00512D20h; ret	0_2_00512D18
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_0051AD60 push ecx; mov dword ptr [esp], edx	0_2_0051AD65
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_00512D2C push 00512D58h; ret	0_2_00512D50
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_0050DF90 push eax; ret	0_2_0050DFCC
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_05698F21 push 0C418B05h; ret	0_2_05698F33
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_05698E81 push 1C418B05h; ret	0_2_05698E93
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_0934550F push dword ptr [esp+ecx*2-75h]; ret	0_2_09345513

Source: CswRsjV3kH.exe	Static PE information: section name: entropy: 7.990134528702455
Source: CswRsjV3kH.exe	Static PE information: section name: entropy: 7.94187495363733
Source: CswRsjV3kH.exe	Static PE information: section name: entropy: 7.276454522865523
Source: CswRsjV3kH.exe	Static PE information: section name: entropy: 7.9988804946234415
Source: CswRsjV3kH.exe	Static PE information: section name: .data entropy: 7.982788491977175

Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000034AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,TQ
Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000034AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\TQ
Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\|-
Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000034AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE

Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Memory allocated: 33B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Memory allocated: 53B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_02774448 mov eax, dword ptr fs:[00000030h]		0_2_02774448
Source: C:\Users\user\Desktop\CswRsjV3kH.exe	Code function: 0_2_02774448 mov eax, dword ptr fs:[00000030h]		0_2_02774448

Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000035E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000035E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: Yara match	File source: 0.2.CswRsjV3kH.exe.43b6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.CswRsjV3kH.exe.555ff08.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CswRsjV3kH.exe.55f0ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CswRsjV3kH.exe.55f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CswRsjV3kH.exe.30c9f16.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CswRsjV3kH.exe.443f790.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CswRsjV3kH.exe.5da0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CswRsjV3kH.exe.30c9f16.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CswRsjV3kH.exe.5da0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.CswRsjV3kH.exe.555ff08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CswRsjV3kH.exe.43b6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CswRsjV3kH.exe.55f0ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CswRsjV3kH.exe.55f0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CswRsjV3kH.exe.443f790.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CswRsjV3kH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1680722858.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685662213.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685108688.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1639408489.000000000555F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685108688.0000000004423000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685894112.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

ID:	1429015
Product:	CloudBasic
Start time:	02:26:06
Start date:	20.04.2024
Sample:	CswRsjV3kH.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3e6cd9723e292652064fc1a06d75cbe4
SHA1:	f1f8ab71fa3dd76b0491c4b5133fdeb2f9fae162
SHA256:	9172b16ccd9506d70f0ef99e07853e683f700a0b79f83dfa6a121abf97ec48cd
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\Desktop\Google Chrome.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:30 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide	9875E104CB324E01FAFCC8FFE1FE03B2	5C33977193136157B9380CEC5B6C2AD95898EEC1	A9D4490252C80800C3E2643047905F5E47331BA0C00BB738A6B28C5611330A51
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CswRsjV3kH.exe.log	ASCII text, with CRLF line terminators	D62639C5676A8FA1A0C2215824B6553A	544B2C6E7A43CE06B68DF441CC237AB7A742B5CD	761379FF547D28D053F7683499D25F7F1B5523CC7262A2DA64AF26448F7E2D76
C:\Users\user\AppData\Local\Temp\TmpDBC7.tmp	data	1420D30F964EAC2C85B2CCFE968EEBCE	BDF9A6876578A3E38079C4F8CF5D6C79687AD750	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
C:\Users\user\AppData\Local\Temp\TmpDBE7.tmp	data	1420D30F964EAC2C85B2CCFE968EEBCE	BDF9A6876578A3E38079C4F8CF5D6C79687AD750	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06	data	0158FE9CEAD91D1B027B795984737614	B41A11F909A7BDF1115088790A5680AC4E23031B	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A

Windows Analysis Report CswRsjV3kH.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
CswRsjV3kH.exe

Malware Threat Intel
Provided by