Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe
Analysis ID:	1632796
MD5:	af3df67046abb1a4bd2600009fb51f19
SHA1:	4dc05e14c3e44f51a02555d2230e1c2d8219d66f
SHA256:	dc5eb50fd2c6a9351e5b2edb5ab4ddd31f5225ec5260380f05f8cf24e824bffd
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

DLL reload attack detected

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Obfuscated command line found

Renames NTDLL to bypass HIPS

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Uncommon Svchost Parent Process

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Dici.tmp

Avira: detection malicious, Label: DR/FakePic.Gen

Found malware configuration

Source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": "45.67.231.189:49441", "Bot Id": "mamonts", "Authorization Header": "b7fcef6957ac0cbb870615af4b502bf0"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Virustotal: Detection: 71%			Perma Link
Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	ReversingLabs: Detection: 57%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.00000000010E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbs source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdbKv source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbP source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: xBCzEiVyOcVH.dll.10.dr
Source:	Binary string: wntdll.pdb source: xBCzEiVyOcVH.dll.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbt source: jsc.exe, 00000013.00000002.2413035334.0000000001132000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.000000000114C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.0000000001132000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00403287 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_00403287
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00402C10 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402C10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00402D2D FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_00402D2D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_009B4005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_009B494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_009B3CE2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_009BC2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_009BCD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BCD14 FindFirstFileW,FindClose,	10_2_009BCD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_009BF5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_009BF735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_009BFA36

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.67.231.189:49441

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49721 -> 45.67.231.189:49441

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SERVERIUS-ASNL SERVERIUS-ASNL

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: xCYuqFZpbOjjkUqkfthcb.xCYuqFZpbOjjkUqkfthcb replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009C29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

10_2_009C29BA

Source: global traffic

DNS traffic detected: DNS query: xCYuqFZpbOjjkUqkfthcb.xCYuqFZpbOjjkUqkfthcb

Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyx
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/(
Source: jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/(
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16(
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: Rarissima.exe.pif, 0000000A.00000000.1174784742.0000000000A19000.00000002.00000001.01000000.00000006.sdmp, Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Rarissima.exe.pif, 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Rarissima.exe.pif.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_004073A6 SetWindowsHookExW 00000002,Function_00007377,00000000,00000000

0_2_004073A6

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009C4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

10_2_009C4632

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009C4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

10_2_009C4830

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

10_2_009C4632

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B0508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

10_2_009B0508

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009DD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

10_2_009DD164

System Summary

Malicious sample detected (through community Yara rule)

Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B42D5: CreateFileW,DeviceIoControl,CloseHandle,

10_2_009B42D5

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009A8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

10_2_009A8F2E

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

10_2_009B5778

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_0040F8A3	0_2_0040F8A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00414A33	0_2_00414A33
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_0041237F	0_2_0041237F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_004146C1	0_2_004146C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_0041479B	0_2_0041479B
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0095B020	10_2_0095B020
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009594E0	10_2_009594E0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00959C80	10_2_00959C80
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009723F5	10_2_009723F5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009D8400	10_2_009D8400
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00986502	10_2_00986502
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0095E6F0	10_2_0095E6F0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0098265E	10_2_0098265E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097282A	10_2_0097282A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009889BF	10_2_009889BF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009D0A3A	10_2_009D0A3A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00986A74	10_2_00986A74
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00960BE0	10_2_00960BE0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009AEDB2	10_2_009AEDB2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097CD51	10_2_0097CD51
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009D0EB7	10_2_009D0EB7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B8E44	10_2_009B8E44
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00986FE6	10_2_00986FE6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009733B7	10_2_009733B7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097F409	10_2_0097F409
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0096D45D	10_2_0096D45D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009716B4	10_2_009716B4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0095F6A0	10_2_0095F6A0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0096F628	10_2_0096F628
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00951663	10_2_00951663
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009778C3	10_2_009778C3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097DBA5	10_2_0097DBA5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00971BA8	10_2_00971BA8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0096DD28	10_2_0096DD28
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097BFD6	10_2_0097BFD6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00971FC0	10_2_00971FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 19_2_013EF608	19_2_013EF608

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\xBCzEiVyOcVH.dll 28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: String function: 00961A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: String function: 00970D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: String function: 00978B30 appears 42 times

PE file contains executable resources (Code or Archives)

Source: xBCzEiVyOcVH.dll.10.dr

Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped

PE file does not import any functions

Source: xBCzEiVyOcVH.dll.10.dr

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe, 00000000.00000000.1163476792.000000000041C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSbieSupport.dllj% vs SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe
Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe, 00000000.00000002.1230068469.00000000047B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSbieSupport.dllj% vs SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe
Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Binary or memory string: OriginalFilenameSbieSupport.dllj% vs SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12

Source: xBCzEiVyOcVH.dll.10.dr

Binary string: \Device\IPT[

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/6@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_00407C28 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00407C28

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009A8DE9 AdjustTokenPrivileges,CloseHandle,		10_2_009A8DE9
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009A9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		10_2_009A9399

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009BB976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

10_2_009BB976

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

10_2_009B4148

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_00403663 _wtol,_wtol,SHGetSpecialFolderPathW,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00403663

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_0040683D memcpy,SystemParametersInfoW,GetDC,GetDeviceCaps,MulDiv,ReleaseDC,GetModuleHandleW,FindResourceA,LoadResource,LockResource,DialogBoxIndirectParamW,

0_2_0040683D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: user32.dll	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: user32.dll	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: sfxtest	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: sfxconfig	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: SfxString%d	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: SetEnvironment	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: SetEnvironment	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: SetEnvironment	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: HelpText	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: InstallPath	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: BeginPrompt	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: AutoInstall	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: AutoInstall	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: ExecuteFile	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: ExecuteFile	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: ExecuteFile	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: RunProgram	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: RunProgram	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: RunProgram	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: 7ZipSfx.%03x	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: setup.exe	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: setup.exe	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: setup.exe	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: Shortcut	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: Delete	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: SelfDelete	0_2_00404AEB

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'BULLGUARDCORE.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'PSUASERVICE.EXE'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Virustotal: Detection: 71%
Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Bel.tmp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq BullGuardCore.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "bullguardcore.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq PSUAService.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "psuaservice.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif Rarissima.exe.pif u
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\waitfor.exe waitfor /t 5 cPJmppTIOgHphOgIZlJIVQpIXRsFPuungjFRADw
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Bel.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq BullGuardCore.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "bullguardcore.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq PSUAService.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "psuaservice.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif Rarissima.exe.pif u	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\waitfor.exe waitfor /t 5 cPJmppTIOgHphOgIZlJIVQpIXRsFPuungjFRADw	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq BullGuardCore.exe"

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.00000000010E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbs source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdbKv source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbP source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: xBCzEiVyOcVH.dll.10.dr
Source:	Binary string: wntdll.pdb source: xBCzEiVyOcVH.dll.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbt source: jsc.exe, 00000013.00000002.2413035334.0000000001132000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.000000000114C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.0000000001132000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_004067E3 LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetWindow,

0_2_004067E3

PE file contains sections with non-standard names

Source: xBCzEiVyOcVH.dll.10.dr	Static PE information: section name: RT
Source: xBCzEiVyOcVH.dll.10.dr	Static PE information: section name: .mrdata
Source: xBCzEiVyOcVH.dll.10.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_004142E9 push ecx; ret	0_2_004142FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00413EFC push eax; ret	0_2_00413F1A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00978B75 push ecx; ret	10_2_00978B88

Source: xBCzEiVyOcVH.dll.10.dr

Static PE information: section name: .text entropy: 6.844715065913507

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Jump to dropped file

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\xBCzEiVyOcVH.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

DLL reload attack detected

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009D59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		10_2_009D59B3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00965EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		10_2_00965EDA

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009733B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_009733B7

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Renames NTDLL to bypass HIPS

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	File opened: C:\Windows\SysWOW64\ntdll.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	File opened: C:\Windows\SysWOW64\ntdll.dll			Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 13A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 3050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\xBCzEiVyOcVH.dll

Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Evasive API call chain: GetLocalTime,DecisionNodes

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

API coverage: 5.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7580

Thread sleep time: -35000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000c6h], 0004h and CTI: jne 00404B4Ah	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000cah], 000bh and CTI: jne 00404B70h	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000cch], ax and CTI: je 00405F43h	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000c6h], 0019h and CTI: jne 00404B70h	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000cah], 0006h and CTI: jne 00404B70h	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000cch], ax and CTI: je 00405F43h	0_2_00404AEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00403287 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_00403287
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00402C10 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402C10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00402D2D FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_00402D2D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_009B4005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_009B494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_009B3CE2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_009BC2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_009BCD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BCD14 FindFirstFileW,FindClose,	10_2_009BCD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_009BF5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_009BF735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_009BFA36

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00965D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_00965D13

Source: jsc.exe, 00000013.00000002.2413035334.0000000001132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: Rarissima.exe.pif, 0000000A.00000003.1748202752.0000000001105000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1748731778.0000000001157000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1747680237.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1749052087.0000000001161000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1749444084.0000000001170000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1748565407.0000000001131000.00000004.00000020.00020000.00000000.sdmp, Inclina.tmp.0.dr	Binary or memory string: $SOMRYkBrHgFSadoimWqgKya = '698861197740405166678069256050785232686638371'
Source: Inclina.tmp.0.dr	Binary or memory string: $kCMoQuvMCIRwpguFf = 2112+3591
Source: Rarissima.exe.pif, 0000000A.00000003.1752519900.00000000038D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KCMOQUVMCIRWPGUFF
Source: Inclina.tmp.0.dr	Binary or memory string: While $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG < 27
Source: Rarissima.exe.pif, 0000000A.00000003.1752519900.00000000038D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KCMOQUVMCIRWPGUFFgC7`A
Source: Rarissima.exe.pif, 0000000A.00000003.1751439433.0000000003B0C000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1751756327.0000000003B0C000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1751294677.0000000003B05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SOMRYKBRHGFSADOIMWQGKYA
Source: Inclina.tmp.0.dr	Binary or memory string: $kCMoQuvMCIRwpguFf = Execute('Ptr(324)')
Source: Rarissima.exe.pif, 0000000A.00000003.1747609397.00000000010C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $kCMoQuvMCIRwpguFf = Execute('Ptr(324)')e
Source: Rarissima.exe.pif, 0000000A.00000003.1747609397.00000000010C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $kCMoQuvMCIRwpguFf = 2112+35911
Source: Inclina.tmp.0.dr	Binary or memory string: $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG = $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG + 1
Source: Rarissima.exe.pif, 0000000A.00000003.1749444084.0000000001194000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG = $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG + 1\|
Source: Inclina.tmp.0.dr	Binary or memory string: $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG = 0
Source: Rarissima.exe.pif, 0000000A.00000003.1750905001.0000000003BD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: YGTDOXIGXJVYDEAERPCBPFWHZSAXZBDNCPPGWWQZKQNYOAYGZZVVMCIMJG
Source: Rarissima.exe.pif, 0000000A.00000003.1750480379.0000000003DD6000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000002.1758914723.0000000003DD6000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1749762496.0000000003DC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009C45D5 BlockInput,

10_2_009C45D5

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00965240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00965240

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00985CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

10_2_00985CAC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_004067E3 LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetWindow,

0_2_004067E3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009A88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

10_2_009A88CD

Enables debug privileges

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00414365 SetUnhandledExceptionFilter,	0_2_00414365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_004145D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004145D4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0097A385
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097A354 SetUnhandledExceptionFilter,	10_2_0097A354

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: BE0000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: BE0000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: DC7000			Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009A9369 LogonUserW,

10_2_009A9369

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00965240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00965240

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B1AC6 SendInput,keybd_event,

10_2_009B1AC6

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B51E2 mouse_event,

10_2_009B51E2

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Bel.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq BullGuardCore.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "bullguardcore.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq PSUAService.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "psuaservice.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif Rarissima.exe.pif u	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\waitfor.exe waitfor /t 5 cPJmppTIOgHphOgIZlJIVQpIXRsFPuungjFRADw	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

10_2_009A88CD

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_009B4F1C

Source: Rarissima.exe.pif, 0000000A.00000000.1174665285.0000000000A06000.00000002.00000001.01000000.00000006.sdmp, Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Rarissima.exe.pif	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_0040D280 cpuid

0_2_0040D280

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_0040275A

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_00404AEB ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetLocalTime,GetFileAttributesW,LoadLibraryW,GetComputerNameW,wcscmp,wcscmp,wcscmp,wcscmp,wcscmp,wcscmp,wcscmp,GetModuleHandleW,GetModuleHandleW,GetLastError,GetModuleHandleW,GetProcAddress,MessageBoxTimeoutW,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitializeEx,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00404AEB

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00990722 GetUserNameW,

10_2_00990722

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_0098416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

10_2_0098416A

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00965D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_00965D13

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rarissima.exe.pif PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 7576, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: Rarissima.exe.pif	Binary or memory string: WIN_81
Source: Rarissima.exe.pif	Binary or memory string: WIN_XP
Source: Rarissima.exe.pif	Binary or memory string: WIN_XPe
Source: Rarissima.exe.pif	Binary or memory string: WIN_VISTA
Source: Rarissima.exe.pif	Binary or memory string: WIN_7
Source: Rarissima.exe.pif	Binary or memory string: WIN_8
Source: Rarissima.exe.pif.4.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rarissima.exe.pif PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 7576, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009C696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		10_2_009C696E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009C6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		10_2_009C6E32

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.67.231.189	unknown	Moldova Republic of		50673	SERVERIUS-ASNL	true

Contacted Domains

Name	IP	Active
xCYuqFZpbOjjkUqkfthcb.xCYuqFZpbOjjkUqkfthcb	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
45.67.231.189:49441	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Dici.tmp

Avira: detection malicious, Label: DR/FakePic.Gen

Found malware configuration

Source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": "45.67.231.189:49441", "Bot Id": "mamonts", "Authorization Header": "b7fcef6957ac0cbb870615af4b502bf0"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Virustotal: Detection: 71%			Perma Link
Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	ReversingLabs: Detection: 57%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.00000000010E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbs source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdbKv source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbP source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: xBCzEiVyOcVH.dll.10.dr
Source:	Binary string: wntdll.pdb source: xBCzEiVyOcVH.dll.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbt source: jsc.exe, 00000013.00000002.2413035334.0000000001132000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.000000000114C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.0000000001132000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00403287 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_00403287
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00402C10 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402C10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00402D2D FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_00402D2D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_009B4005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_009B494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_009B3CE2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_009BC2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_009BCD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BCD14 FindFirstFileW,FindClose,	10_2_009BCD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_009BF5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_009BF735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_009BFA36

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.67.231.189:49441

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49721 -> 45.67.231.189:49441

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SERVERIUS-ASNL SERVERIUS-ASNL

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: xCYuqFZpbOjjkUqkfthcb.xCYuqFZpbOjjkUqkfthcb replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009C29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

10_2_009C29BA

Source: global traffic

DNS traffic detected: DNS query: xCYuqFZpbOjjkUqkfthcb.xCYuqFZpbOjjkUqkfthcb

Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyx
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/(
Source: jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/(
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16(
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: Rarissima.exe.pif, 0000000A.00000000.1174784742.0000000000A19000.00000002.00000001.01000000.00000006.sdmp, Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Rarissima.exe.pif, 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Rarissima.exe.pif.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_004073A6 SetWindowsHookExW 00000002,Function_00007377,00000000,00000000

0_2_004073A6

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

10_2_009C4632

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009C4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

10_2_009C4830

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

10_2_009C4632

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

10_2_009B0508

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

10_2_009DD164

System Summary

Malicious sample detected (through community Yara rule)

Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B42D5: CreateFileW,DeviceIoControl,CloseHandle,

10_2_009B42D5

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

10_2_009A8F2E

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

10_2_009B5778

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_0040F8A3	0_2_0040F8A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00414A33	0_2_00414A33
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_0041237F	0_2_0041237F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_004146C1	0_2_004146C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_0041479B	0_2_0041479B
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0095B020	10_2_0095B020
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009594E0	10_2_009594E0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00959C80	10_2_00959C80
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009723F5	10_2_009723F5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009D8400	10_2_009D8400
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00986502	10_2_00986502
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0095E6F0	10_2_0095E6F0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0098265E	10_2_0098265E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097282A	10_2_0097282A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009889BF	10_2_009889BF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009D0A3A	10_2_009D0A3A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00986A74	10_2_00986A74
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00960BE0	10_2_00960BE0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009AEDB2	10_2_009AEDB2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097CD51	10_2_0097CD51
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009D0EB7	10_2_009D0EB7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B8E44	10_2_009B8E44
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00986FE6	10_2_00986FE6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009733B7	10_2_009733B7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097F409	10_2_0097F409
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0096D45D	10_2_0096D45D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009716B4	10_2_009716B4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0095F6A0	10_2_0095F6A0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0096F628	10_2_0096F628
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00951663	10_2_00951663
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009778C3	10_2_009778C3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097DBA5	10_2_0097DBA5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00971BA8	10_2_00971BA8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0096DD28	10_2_0096DD28
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097BFD6	10_2_0097BFD6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00971FC0	10_2_00971FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 19_2_013EF608	19_2_013EF608

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\xBCzEiVyOcVH.dll 28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: String function: 00961A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: String function: 00970D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: String function: 00978B30 appears 42 times

PE file contains executable resources (Code or Archives)

Source: xBCzEiVyOcVH.dll.10.dr

Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped

PE file does not import any functions

Source: xBCzEiVyOcVH.dll.10.dr

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe, 00000000.00000000.1163476792.000000000041C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSbieSupport.dllj% vs SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe
Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe, 00000000.00000002.1230068469.00000000047B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSbieSupport.dllj% vs SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe
Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Binary or memory string: OriginalFilenameSbieSupport.dllj% vs SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12

Source: xBCzEiVyOcVH.dll.10.dr

Binary string: \Device\IPT[

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/6@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_00407C28 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00407C28

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009A8DE9 AdjustTokenPrivileges,CloseHandle,		10_2_009A8DE9
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009A9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		10_2_009A9399

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009BB976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

10_2_009BB976

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

10_2_009B4148

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

0_2_00403663

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_0040683D memcpy,SystemParametersInfoW,GetDC,GetDeviceCaps,MulDiv,ReleaseDC,GetModuleHandleW,FindResourceA,LoadResource,LockResource,DialogBoxIndirectParamW,

0_2_0040683D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: user32.dll	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: user32.dll	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: sfxtest	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: sfxconfig	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: SfxString%d	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: SetEnvironment	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: SetEnvironment	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: SetEnvironment	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: HelpText	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: InstallPath	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: BeginPrompt	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: AutoInstall	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: AutoInstall	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: ExecuteFile	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: ExecuteFile	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: ExecuteFile	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: RunProgram	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: RunProgram	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: RunProgram	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: 7ZipSfx.%03x	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: setup.exe	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: setup.exe	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: setup.exe	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: Shortcut	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: Delete	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: SelfDelete	0_2_00404AEB

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'BULLGUARDCORE.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'PSUASERVICE.EXE'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Virustotal: Detection: 71%
Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Bel.tmp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq BullGuardCore.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "bullguardcore.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq PSUAService.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "psuaservice.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif Rarissima.exe.pif u
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\waitfor.exe waitfor /t 5 cPJmppTIOgHphOgIZlJIVQpIXRsFPuungjFRADw
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Bel.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq BullGuardCore.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "bullguardcore.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq PSUAService.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "psuaservice.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif Rarissima.exe.pif u	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\waitfor.exe waitfor /t 5 cPJmppTIOgHphOgIZlJIVQpIXRsFPuungjFRADw	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq BullGuardCore.exe"

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.00000000010E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbs source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdbKv source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbP source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: xBCzEiVyOcVH.dll.10.dr
Source:	Binary string: wntdll.pdb source: xBCzEiVyOcVH.dll.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbt source: jsc.exe, 00000013.00000002.2413035334.0000000001132000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.000000000114C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.0000000001132000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_004067E3 LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetWindow,

0_2_004067E3

PE file contains sections with non-standard names

Source: xBCzEiVyOcVH.dll.10.dr	Static PE information: section name: RT
Source: xBCzEiVyOcVH.dll.10.dr	Static PE information: section name: .mrdata
Source: xBCzEiVyOcVH.dll.10.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_004142E9 push ecx; ret	0_2_004142FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00413EFC push eax; ret	0_2_00413F1A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00978B75 push ecx; ret	10_2_00978B88

Source: xBCzEiVyOcVH.dll.10.dr

Static PE information: section name: .text entropy: 6.844715065913507

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Jump to dropped file

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\xBCzEiVyOcVH.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

DLL reload attack detected

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009D59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		10_2_009D59B3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00965EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		10_2_00965EDA

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

10_2_009733B7

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Renames NTDLL to bypass HIPS

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	File opened: C:\Windows\SysWOW64\ntdll.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	File opened: C:\Windows\SysWOW64\ntdll.dll			Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 13A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 3050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\xBCzEiVyOcVH.dll

Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Evasive API call chain: GetLocalTime,DecisionNodes

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

API coverage: 5.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7580

Thread sleep time: -35000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000c6h], 0004h and CTI: jne 00404B4Ah	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000cah], 000bh and CTI: jne 00404B70h	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000cch], ax and CTI: je 00405F43h	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000c6h], 0019h and CTI: jne 00404B70h	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000cah], 0006h and CTI: jne 00404B70h	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000cch], ax and CTI: je 00405F43h	0_2_00404AEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00403287 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_00403287
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00402C10 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402C10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00402D2D FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_00402D2D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_009B4005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_009B494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_009B3CE2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_009BC2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_009BCD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BCD14 FindFirstFileW,FindClose,	10_2_009BCD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_009BF5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_009BF735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_009BFA36

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00965D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_00965D13

Source: jsc.exe, 00000013.00000002.2413035334.0000000001132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: Rarissima.exe.pif, 0000000A.00000003.1748202752.0000000001105000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1748731778.0000000001157000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1747680237.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1749052087.0000000001161000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1749444084.0000000001170000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1748565407.0000000001131000.00000004.00000020.00020000.00000000.sdmp, Inclina.tmp.0.dr	Binary or memory string: $SOMRYkBrHgFSadoimWqgKya = '698861197740405166678069256050785232686638371'
Source: Inclina.tmp.0.dr	Binary or memory string: $kCMoQuvMCIRwpguFf = 2112+3591
Source: Rarissima.exe.pif, 0000000A.00000003.1752519900.00000000038D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KCMOQUVMCIRWPGUFF
Source: Inclina.tmp.0.dr	Binary or memory string: While $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG < 27
Source: Rarissima.exe.pif, 0000000A.00000003.1752519900.00000000038D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KCMOQUVMCIRWPGUFFgC7`A
Source: Rarissima.exe.pif, 0000000A.00000003.1751439433.0000000003B0C000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1751756327.0000000003B0C000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1751294677.0000000003B05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SOMRYKBRHGFSADOIMWQGKYA
Source: Inclina.tmp.0.dr	Binary or memory string: $kCMoQuvMCIRwpguFf = Execute('Ptr(324)')
Source: Rarissima.exe.pif, 0000000A.00000003.1747609397.00000000010C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $kCMoQuvMCIRwpguFf = Execute('Ptr(324)')e
Source: Rarissima.exe.pif, 0000000A.00000003.1747609397.00000000010C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $kCMoQuvMCIRwpguFf = 2112+35911
Source: Inclina.tmp.0.dr	Binary or memory string: $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG = $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG + 1
Source: Rarissima.exe.pif, 0000000A.00000003.1749444084.0000000001194000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG = $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG + 1\|
Source: Inclina.tmp.0.dr	Binary or memory string: $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG = 0
Source: Rarissima.exe.pif, 0000000A.00000003.1750905001.0000000003BD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: YGTDOXIGXJVYDEAERPCBPFWHZSAXZBDNCPPGWWQZKQNYOAYGZZVVMCIMJG
Source: Rarissima.exe.pif, 0000000A.00000003.1750480379.0000000003DD6000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000002.1758914723.0000000003DD6000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1749762496.0000000003DC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009C45D5 BlockInput,

10_2_009C45D5

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00965240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00965240

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

10_2_00985CAC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_004067E3 LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetWindow,

0_2_004067E3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

10_2_009A88CD

Enables debug privileges

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00414365 SetUnhandledExceptionFilter,	0_2_00414365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_004145D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004145D4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0097A385
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097A354 SetUnhandledExceptionFilter,	10_2_0097A354

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: BE0000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: BE0000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: DC7000			Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009A9369 LogonUserW,

10_2_009A9369

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00965240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00965240

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B1AC6 SendInput,keybd_event,

10_2_009B1AC6

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B51E2 mouse_event,

10_2_009B51E2

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Bel.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq BullGuardCore.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "bullguardcore.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq PSUAService.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "psuaservice.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif Rarissima.exe.pif u	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\waitfor.exe waitfor /t 5 cPJmppTIOgHphOgIZlJIVQpIXRsFPuungjFRADw	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

10_2_009A88CD

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_009B4F1C

Source: Rarissima.exe.pif, 0000000A.00000000.1174665285.0000000000A06000.00000002.00000001.01000000.00000006.sdmp, Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Rarissima.exe.pif	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_0040D280 cpuid

0_2_0040D280

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

0_2_0040275A

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

0_2_00404AEB

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00990722 GetUserNameW,

10_2_00990722

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

10_2_0098416A

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00965D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_00965D13

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rarissima.exe.pif PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 7576, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: Rarissima.exe.pif	Binary or memory string: WIN_81
Source: Rarissima.exe.pif	Binary or memory string: WIN_XP
Source: Rarissima.exe.pif	Binary or memory string: WIN_XPe
Source: Rarissima.exe.pif	Binary or memory string: WIN_VISTA
Source: Rarissima.exe.pif	Binary or memory string: WIN_7
Source: Rarissima.exe.pif	Binary or memory string: WIN_8
Source: Rarissima.exe.pif.4.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rarissima.exe.pif PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 7576, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009C696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		10_2_009C696E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009C6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		10_2_009C6E32

ID:	1632796
Product:	CloudBasic
Start time:	07:23:15
Start date:	09.03.2025
Sample:	SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	af3df67046abb1a4bd2600009fb51f19
SHA1:	4dc05e14c3e44f51a02555d2230e1c2d8219d66f
SHA256:	dc5eb50fd2c6a9351e5b2edb5ab4ddd31f5225ec5260380f05f8cf24e824bffd
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bel.tmp	ASCII text, with CRLF line terminators	8135BEF11F89A1DB48E677E5ACBE9356	A8C3E7E99ED4C818158D2308C951BE62C230852A	81038FBD0689518CCA61189A6474D198792DBAABD7995A4FC8516A0BF054FE67
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Dici.tmp	data	D0A3162FD1C18EE44BA155FF8F7A28D7	3C877E5E75467CB979F3075B251236F3FE35A3A9	1C4B22529AD27409DA8FB7047CC534B1182FFB2859B3A01E57AB37A8C17916F0
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inclina.tmp	ASCII text, with CRLF line terminators	9CC422DC9F96787B5930E78750F05AC6	A6D1C7F8F80EAFE303CB834362E5D25E989D5CA7	D0C14CCFCCB684A52437142AF6BB993DEB0839BA43091DF69A9F3E6B10DC2DCC
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	PE32 executable (GUI) Intel 80386, for MS Windows	C56B5F0201A3B3DE53E561FE76912BFD	2A4062E10A5DE813F5688221DBEB3F3FF33EB417	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\u (copy)	ASCII text, with CRLF line terminators	9CC422DC9F96787B5930E78750F05AC6	A6D1C7F8F80EAFE303CB834362E5D25E989D5CA7	D0C14CCFCCB684A52437142AF6BB993DEB0839BA43091DF69A9F3E6B10DC2DCC
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\xBCzEiVyOcVH.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5564A98A4692BA8B2D25770FB834D5F6	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Malware Threat Intel
Provided by