Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RbCSdRdU5F.exe

Overview

General Information

Sample name:RbCSdRdU5F.exe
renamed because original name is a hash value
Original sample name:dba844b00d59c245382b87ce7441a86c23df76cd517c5a291e91e76ecb8b7873.exe
Analysis ID:1638139
MD5:ab66a0f09e2d38da41b282658794f9d6
SHA1:4d1c639e9350ca196dd464244a96089b005065cd
SHA256:dba844b00d59c245382b87ce7441a86c23df76cd517c5a291e91e76ecb8b7873
Tags:exeInfinixTechnologiesuser-JAMESWT_MHT
Infos:

Detection

Score:78
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Joe Sandbox ML detected suspicious sample
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • RbCSdRdU5F.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\RbCSdRdU5F.exe" MD5: AB66A0F09E2D38DA41B282658794F9D6)
    • cmd.exe (PID: 8000 cmdline: "C:\Windows\system32\cmd.exe" /c expand Panic.potx Panic.potx.bat & Panic.potx.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • expand.exe (PID: 6832 cmdline: expand Panic.potx Panic.potx.bat MD5: 544B0DBFF3F393BCE8BB9D815F532D51)
      • tasklist.exe (PID: 8184 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7200 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 6728 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 6776 cmdline: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 1812 cmdline: cmd /c md 70410 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • extrac32.exe (PID: 1488 cmdline: extrac32 /Y /E Apple.potx MD5: 9472AAB6390E4F1431BAA912FCFF9707)
      • findstr.exe (PID: 7972 cmdline: findstr /V "ALIGN" Installation MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 6040 cmdline: cmd /c copy /b 70410\Fault.com + Contains + Faith + Trackback + Yang + Podcasts + Leaving + Newport + Searched + Accepts + Namely + Food 70410\Fault.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 2140 cmdline: cmd /c copy /b ..\Nsw.potx + ..\Army.potx + ..\Administrative.potx + ..\Calculations.potx + ..\Simultaneously.potx + ..\Closely.potx + ..\Nationwide.potx + ..\Ton.potx J MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Fault.com (PID: 2044 cmdline: Fault.com J MD5: 62D09F076E6E0240548C2F837536A46A)
        • cmd.exe (PID: 8036 cmdline: cmd /c schtasks.exe /create /tn "Messaging" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • schtasks.exe (PID: 2736 cmdline: schtasks.exe /create /tn "Messaging" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)
        • cmd.exe (PID: 7200 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & echo URL="C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 3140 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 6296 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • InnoMesh.com (PID: 7948 cmdline: "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.com" "C:\Users\user\AppData\Local\TechMesh Dynamics\Q" MD5: 62D09F076E6E0240548C2F837536A46A)
  • wscript.exe (PID: 3620 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • InnoMesh.com (PID: 1460 cmdline: "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.com" "C:\Users\user\AppData\Local\TechMesh Dynamics\Q" MD5: 62D09F076E6E0240548C2F837536A46A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Messaging" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Messaging" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Messaging" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8036, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Messaging" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js'" /sc minute /mo 5 /F, ProcessId: 2736, ProcessName: schtasks.exe
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js", ProcessId: 6296, ProcessName: wscript.exe
Sigma detected: Suspicious Schtasks From Env Var Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Messaging" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Messaging" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Messaging" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8036, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Messaging" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js'" /sc minute /mo 5 /F, ProcessId: 2736, ProcessName: schtasks.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js", ProcessId: 6296, ProcessName: wscript.exe

Data Obfuscation

barindex
Sigma detected: Drops script at startup location
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7200, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Search for Antivirus process
Source: Process startedAuthor: Joe Security: Data: Command: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" , CommandLine: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c expand Panic.potx Panic.potx.bat & Panic.potx.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8000, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" , ProcessId: 6776, ProcessName: findstr.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-14T08:48:45.731285+010020283713Unknown Traffic192.168.2.54977123.197.127.21443TCP
2025-03-14T08:48:45.731285+010020283713Unknown Traffic192.168.2.549765104.21.64.1443TCP
2025-03-14T08:48:45.731285+010020283713Unknown Traffic192.168.2.549756188.114.97.3443TCP
2025-03-14T08:48:45.731285+010020283713Unknown Traffic192.168.2.549759104.21.48.1443TCP
2025-03-14T08:48:45.731285+010020283713Unknown Traffic192.168.2.549744149.154.167.99443TCP
2025-03-14T08:48:45.731285+010020283713Unknown Traffic192.168.2.54976823.197.127.21443TCP
2025-03-14T08:48:45.731285+010020283713Unknown Traffic192.168.2.549762104.21.64.1443TCP
2025-03-14T08:48:45.731285+010020283713Unknown Traffic192.168.2.549753188.114.97.3443TCP
2025-03-14T08:48:45.731285+010020283713Unknown Traffic192.168.2.549750104.21.48.1443TCP
2025-03-14T08:48:45.731285+010020283713Unknown Traffic192.168.2.549747104.21.6.2443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: RbCSdRdU5F.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: RbCSdRdU5F.exeReversingLabs: Detection: 42%
Source: RbCSdRdU5F.exeVirustotal: Detection: 34%Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.0% probability
Source: RbCSdRdU5F.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: RbCSdRdU5F.exeStatic PE information: certificate valid
Source: RbCSdRdU5F.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeCode function: 0_2_00406850 FindFirstFileW,FindClose,0_2_00406850
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeCode function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C26
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0019A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,26_2_0019A087
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0019A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,26_2_0019A1E2
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0018E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,26_2_0018E472
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0019A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,26_2_0019A570
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0015C622 FindFirstFileExW,26_2_0015C622
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001966DC FindFirstFileW,FindNextFileW,FindClose,26_2_001966DC
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00197333 FindFirstFileW,FindClose,26_2_00197333
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001973D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,26_2_001973D4
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0018D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,26_2_0018D921
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0018DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,26_2_0018DC54
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\70410Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\70410\Jump to behavior
Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49771 -> 23.197.127.21:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49765 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49756 -> 188.114.97.3:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49759 -> 104.21.48.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49744 -> 149.154.167.99:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49768 -> 23.197.127.21:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49762 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49753 -> 188.114.97.3:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49750 -> 104.21.48.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49747 -> 104.21.6.2:443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0019D889 InternetReadFile,SetEvent,GetLastError,SetEvent,26_2_0019D889
Source: global trafficDNS traffic detected: DNS query: PMuOcoRqJMPILDNx.PMuOcoRqJMPILDNx
Source: global trafficDNS traffic detected: DNS query: t.me
Source: global trafficDNS traffic detected: DNS query: skylinejo.world
Source: global trafficDNS traffic detected: DNS query: featureccus.shop
Source: global trafficDNS traffic detected: DNS query: mrodularmall.top
Source: global trafficDNS traffic detected: DNS query: jowinjoinery.icu
Source: global trafficDNS traffic detected: DNS query: legenassedk.top
Source: global trafficDNS traffic detected: DNS query: htardwarehu.icu
Source: global trafficDNS traffic detected: DNS query: cjlaspcorne.icu
Source: global trafficDNS traffic detected: DNS query: bugildbett.top
Source: global trafficDNS traffic detected: DNS query: latchclan.shop
Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
Source: RbCSdRdU5F.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Fault.com, 00000012.00000003.1358487438.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Food.14.dr, Fault.com.6.dr, InnoMesh.com.18.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Fault.com, 00000012.00000003.1358487438.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Food.14.dr, Fault.com.6.dr, InnoMesh.com.18.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Fault.com, 00000012.00000003.1358487438.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Food.14.dr, Fault.com.6.dr, InnoMesh.com.18.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Fault.com, 00000012.00000003.1358487438.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Food.14.dr, Fault.com.6.dr, InnoMesh.com.18.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Fault.com, 00000012.00000003.1358487438.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Food.14.dr, Fault.com.6.dr, InnoMesh.com.18.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: RbCSdRdU5F.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: RbCSdRdU5F.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: RbCSdRdU5F.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: RbCSdRdU5F.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: RbCSdRdU5F.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: RbCSdRdU5F.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: RbCSdRdU5F.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: RbCSdRdU5F.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: RbCSdRdU5F.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: RbCSdRdU5F.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: Fault.com, 00000012.00000003.1358487438.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Food.14.dr, Fault.com.6.dr, InnoMesh.com.18.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: RbCSdRdU5F.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: RbCSdRdU5F.exeString found in binary or memory: http://ocsp.sectigo.com01
Source: Fault.com, 00000012.00000003.1358487438.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Food.14.dr, Fault.com.6.dr, InnoMesh.com.18.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Fault.com, 00000012.00000003.1358487438.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Food.14.dr, Fault.com.6.dr, InnoMesh.com.18.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Fault.com, 00000012.00000003.1358487438.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Food.14.dr, Fault.com.6.dr, InnoMesh.com.18.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Fault.com, 00000012.00000003.1358487438.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Food.14.dr, Fault.com.6.dr, InnoMesh.com.18.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Fault.com, 00000012.00000003.1358487438.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Food.14.dr, Fault.com.6.dr, InnoMesh.com.18.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Fault.com, 00000012.00000003.1358487438.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Fault.com, 00000012.00000000.1350579090.00000000007F5000.00000002.00000001.01000000.00000008.sdmp, InnoMesh.com, 0000001A.00000000.1383465549.00000000001F5000.00000002.00000001.01000000.0000000A.sdmp, InnoMesh.com, 0000001F.00000000.1498397898.00000000001F5000.00000002.00000001.01000000.0000000A.sdmp, Namely.14.dr, Fault.com.6.dr, InnoMesh.com.18.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: RbCSdRdU5F.exeString found in binary or memory: https://sectigo.com/CPS0
Source: Fault.com, 00000012.00000003.1358487438.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Food.14.dr, Fault.com.6.dr, InnoMesh.com.18.drString found in binary or memory: https://www.autoitscript.com/autoit3/
Source: InnoMesh.com.18.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeCode function: 0_2_004056BB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056BB
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0019F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,26_2_0019F7C7
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0019F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,26_2_0019F55C
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0018A635 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,26_2_0018A635
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001B9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,26_2_001B9FD2

System Summary

barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Wscript called in batch mode (surpress errors)
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js"
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00194763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,26_2_00194763
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00181B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,26_2_00181B4D
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeCode function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040350A
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0018F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,26_2_0018F20D
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeFile created: C:\Windows\AmericaSubscriptionJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeFile created: C:\Windows\GoldAdvantagesJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeFile created: C:\Windows\HumansMitsubishiJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeFile created: C:\Windows\JvcHolidaysJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeFile created: C:\Windows\FutureAnnaJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeFile created: C:\Windows\ProductionEstablishedJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeFile created: C:\Windows\TheaterScotiaJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0014801726_2_00148017
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0013E14426_2_0013E144
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0012E1F026_2_0012E1F0
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0015A26E26_2_0015A26E
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001422A226_2_001422A2
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001222AD26_2_001222AD
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0013C62426_2_0013C624
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0015E87F26_2_0015E87F
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001AC8A426_2_001AC8A4
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00192A0526_2_00192A05
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00156ADE26_2_00156ADE
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00188BFF26_2_00188BFF
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0013CD7A26_2_0013CD7A
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0014CE1026_2_0014CE10
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0015715926_2_00157159
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0012924026_2_00129240
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001B531126_2_001B5311
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001296E026_2_001296E0
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0014170426_2_00141704
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00141A7626_2_00141A76
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00129B6026_2_00129B60
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00147B8B26_2_00147B8B
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00141D2026_2_00141D20
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00147DBA26_2_00147DBA
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00141FE726_2_00141FE7
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\70410\Fault.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: String function: 0013FD52 appears 40 times
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: String function: 00140DA0 appears 46 times
Source: RbCSdRdU5F.exe, 00000000.00000002.1337463929.0000000000B3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe. vs RbCSdRdU5F.exe
Source: RbCSdRdU5F.exe, 00000000.00000003.1334637887.0000000000B3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe. vs RbCSdRdU5F.exe
Source: RbCSdRdU5F.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal78.expl.evad.winEXE@42/30@12/6
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001941FA GetLastError,FormatMessageW,26_2_001941FA
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeCode function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040350A
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00182010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,26_2_00182010
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00181A0B AdjustTokenPrivileges,CloseHandle,26_2_00181A0B
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeCode function: 0_2_00404967 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404967
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0018DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,26_2_0018DD87
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00193A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,26_2_00193A0E
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comFile created: C:\Users\user\AppData\Local\TechMesh DynamicsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5092:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1672:120:WilError_03
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeFile created: C:\Users\user\AppData\Local\Temp\nsu33D4.tmpJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Panic.potx Panic.potx.bat & Panic.potx.bat
Source: RbCSdRdU5F.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: RbCSdRdU5F.exeReversingLabs: Detection: 42%
Source: RbCSdRdU5F.exeVirustotal: Detection: 34%
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeFile read: C:\Users\user\Desktop\RbCSdRdU5F.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\RbCSdRdU5F.exe "C:\Users\user\Desktop\RbCSdRdU5F.exe"
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Panic.potx Panic.potx.bat & Panic.potx.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Panic.potx Panic.potx.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 70410
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Apple.potx
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "ALIGN" Installation
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 70410\Fault.com + Contains + Faith + Trackback + Yang + Podcasts + Leaving + Newport + Searched + Accepts + Namely + Food 70410\Fault.com
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Nsw.potx + ..\Army.potx + ..\Administrative.potx + ..\Calculations.potx + ..\Simultaneously.potx + ..\Closely.potx + ..\Nationwide.potx + ..\Ton.potx J
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\70410\Fault.com Fault.com J
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Messaging" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Messaging" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & echo URL="C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.com "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.com" "C:\Users\user\AppData\Local\TechMesh Dynamics\Q"
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.com "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.com" "C:\Users\user\AppData\Local\TechMesh Dynamics\Q"
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Panic.potx Panic.potx.bat & Panic.potx.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Panic.potx Panic.potx.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 70410Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Apple.potxJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "ALIGN" Installation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 70410\Fault.com + Contains + Faith + Trackback + Yang + Podcasts + Leaving + Newport + Searched + Accepts + Namely + Food 70410\Fault.comJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Nsw.potx + ..\Army.potx + ..\Administrative.potx + ..\Calculations.potx + ..\Simultaneously.potx + ..\Closely.potx + ..\Nationwide.potx + ..\Ton.potx JJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\70410\Fault.com Fault.com JJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Messaging" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js'" /sc minute /mo 5 /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & echo URL="C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & exitJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Messaging" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js'" /sc minute /mo 5 /FJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.com "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.com" "C:\Users\user\AppData\Local\TechMesh Dynamics\Q"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.com "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.com" "C:\Users\user\AppData\Local\TechMesh Dynamics\Q"
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: iconcodecservice.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\expand.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: version.dll
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: wininet.dll
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSection loaded: wldp.dll
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: RbCSdRdU5F.exeStatic PE information: certificate valid
Source: RbCSdRdU5F.exeStatic file information: File size 1277464 > 1048576
Source: RbCSdRdU5F.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00125FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,26_2_00125FC8
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001702D8 push cs; retn 0016h26_2_00170318
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00140DE6 push ecx; ret 26_2_00140DF9

Persistence and Installation Behavior

barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\70410\Fault.comJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comFile created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\70410\Fault.comJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comFile created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Messaging" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.urlJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.urlJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001B26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,26_2_001B26DD
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0013FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,26_2_0013FC7C
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_26-104997
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comAPI coverage: 3.9 %
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.com TID: 7596Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeCode function: 0_2_00406850 FindFirstFileW,FindClose,0_2_00406850
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeCode function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C26
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0019A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,26_2_0019A087
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0019A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,26_2_0019A1E2
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0018E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,26_2_0018E472
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0019A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,26_2_0019A570
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0015C622 FindFirstFileExW,26_2_0015C622
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001966DC FindFirstFileW,FindNextFileW,FindClose,26_2_001966DC
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00197333 FindFirstFileW,FindClose,26_2_00197333
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001973D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,26_2_001973D4
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0018D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,26_2_0018D921
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0018DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,26_2_0018DC54
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00125FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,26_2_00125FC8
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\70410Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\70410\Jump to behavior
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeAPI call chain: ExitProcess graph end nodegraph_0-3500
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0019F4FF BlockInput,26_2_0019F4FF
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0012338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,26_2_0012338B
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00125FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,26_2_00125FC8
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00145058 mov eax, dword ptr fs:[00000030h]26_2_00145058
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001820AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,26_2_001820AA
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00152992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_00152992
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00140BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_00140BAF
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00140D45 SetUnhandledExceptionFilter,26_2_00140D45
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00140F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_00140F91
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00181B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,26_2_00181B4D
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0012338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,26_2_0012338B
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0018BBED SendInput,keybd_event,26_2_0018BBED
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0018EC6C mouse_event,26_2_0018EC6C
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Panic.potx Panic.potx.bat & Panic.potx.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Panic.potx Panic.potx.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 70410Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Apple.potxJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "ALIGN" Installation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 70410\Fault.com + Contains + Faith + Trackback + Yang + Podcasts + Leaving + Newport + Searched + Accepts + Namely + Food 70410\Fault.comJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Nsw.potx + ..\Army.potx + ..\Administrative.potx + ..\Calculations.potx + ..\Simultaneously.potx + ..\Closely.potx + ..\Nationwide.potx + ..\Ton.potx JJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\70410\Fault.com Fault.com JJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Messaging" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js'" /sc minute /mo 5 /FJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.com "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.com" "C:\Users\user\AppData\Local\TechMesh Dynamics\Q"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.com "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.com" "C:\Users\user\AppData\Local\TechMesh Dynamics\Q"
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innomesh.url" & echo url="c:\users\user\appdata\local\techmesh dynamics\innomesh.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innomesh.url" & exit
Source: C:\Users\user\AppData\Local\Temp\70410\Fault.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innomesh.url" & echo url="c:\users\user\appdata\local\techmesh dynamics\innomesh.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innomesh.url" & exitJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001814AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,26_2_001814AE
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00181FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,26_2_00181FB0
Source: Fault.com, 00000012.00000000.1350510892.00000000007E3000.00000002.00000001.01000000.00000008.sdmp, Fault.com, 00000012.00000003.1358736969.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, InnoMesh.com, 0000001A.00000002.1393127334.00000000001E3000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: InnoMesh.comBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_00140A08 cpuid 26_2_00140A08
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0017E5F4 GetLocalTime,26_2_0017E5F4
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0017E652 GetUserNameW,26_2_0017E652
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_0015BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,26_2_0015BCD2
Source: C:\Users\user\Desktop\RbCSdRdU5F.exeCode function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040350A
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: InnoMesh.comBinary or memory string: WIN_81
Source: InnoMesh.comBinary or memory string: WIN_XP
Source: InnoMesh.com.18.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: InnoMesh.comBinary or memory string: WIN_XPe
Source: InnoMesh.comBinary or memory string: WIN_VISTA
Source: InnoMesh.comBinary or memory string: WIN_7
Source: InnoMesh.comBinary or memory string: WIN_8
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001A2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,26_2_001A2263
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.comCode function: 26_2_001A1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,26_2_001A1C61

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information111
Scripting		2
Valid Accounts		1
Windows Management Instrumentation		111
Scripting		1
Exploitation for Privilege Escalation		1
Disable or Modify Tools		21
Input Capture		2
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol21
Input Capture		12
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Command and Scripting Interpreter		2
Valid Accounts		2
Valid Accounts		2
Obfuscated Files or Information		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin Shares3
Clipboard Data		1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Scheduled Task/Job		1
Scheduled Task/Job		21
Access Token Manipulation		1
DLL Side-Loading		NTDS17
System Information Discovery		Distributed Component Object ModelInput Capture2
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchd2
Registry Run Keys / Startup Folder		12
Process Injection		111
Masquerading		LSA Secrets12
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Scheduled Task/Job		2
Valid Accounts		Cached Domain Credentials11
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items2
Registry Run Keys / Startup Folder		11
Virtualization/Sandbox Evasion		DCSync4
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
Access Token Manipulation		Proc Filesystem1
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
Process Injection		/etc/passwd and /etc/shadow1
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638139 Sample: RbCSdRdU5F.exe Startdate: 14/03/2025 Architecture: WINDOWS Score: 78 58 PMuOcoRqJMPILDNx.PMuOcoRqJMPILDNx 2->58 60 t.me 2->60 62 10 other IPs or domains 2->62 70 Antivirus / Scanner detection for submitted sample 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Sigma detected: Search for Antivirus process 2->74 76 6 other signatures 2->76 10 RbCSdRdU5F.exe 25 2->10         started        13 wscript.exe 1 2->13         started        16 wscript.exe 2->16         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\Calculations.potx, PDP-11 10->52 dropped 18 cmd.exe 2 10->18         started        84 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->84 22 InnoMesh.com 13->22         started        24 InnoMesh.com 16->24         started        signatures6 process7 file8 48 C:\Users\user\AppData\Local\...\Fault.com, PE32 18->48 dropped 78 Drops PE files with a suspicious file extension 18->78 80 Uses schtasks.exe or at.exe to add and modify task schedules 18->80 26 Fault.com 4 18->26         started        31 cmd.exe 1 18->31         started        33 cmd.exe 2 18->33         started        35 10 other processes 18->35 signatures9 process10 dnsIp11 64 t.me 149.154.167.99, 443, 49744, 49745 TELEGRAMRU United Kingdom 26->64 66 mrodularmall.top 104.21.48.1, 443, 49750, 49751 CLOUDFLARENETUS United States 26->66 68 4 other IPs or domains 26->68 54 C:\Users\user\AppData\Local\...\InnoMesh.com, PE32 26->54 dropped 56 C:\Users\user\AppData\Local\...\InnoMesh.js, ASCII 26->56 dropped 82 Drops PE files with a suspicious file extension 26->82 37 cmd.exe 2 26->37         started        40 cmd.exe 1 26->40         started        file12 signatures13 process14 file15 50 C:\Users\user\AppData\...\InnoMesh.url, MS 37->50 dropped 42 conhost.exe 37->42         started        44 conhost.exe 40->44         started        46 schtasks.exe 1 40->46         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
RbCSdRdU5F.exe42%ReversingLabsWin32.Exploit.Generic
RbCSdRdU5F.exe35%VirustotalBrowse
RbCSdRdU5F.exe100%AviraTR/AVI.Agent.lfdhj

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.com0%ReversingLabs
C:\Users\user\AppData\Local\Temp\70410\Fault.com0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.sectigo.com010%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
skylinejo.world
104.21.6.2
truefalse
    		unknown
    steamcommunity.com
    		23.197.127.21
    		truefalse
      		high
      jowinjoinery.icu
      		188.114.97.3
      		truefalse
        		high
        t.me
        		149.154.167.99
        		truefalse
          		high
          legenassedk.top
          		188.114.97.3
          		truefalse
            		high
            htardwarehu.icu
            		104.21.48.1
            		truefalse
              		high
              bugildbett.top
              		104.21.64.1
              		truefalse
                		high
                mrodularmall.top
                		104.21.48.1
                		truefalse
                  		high
                  cjlaspcorne.icu
                  		104.21.64.1
                  		truefalse
                    		high
                    PMuOcoRqJMPILDNx.PMuOcoRqJMPILDNx
                    		unknown
                    		unknowntrue
                      		unknown
                      latchclan.shop
                      		unknown
                      		unknownfalse
                        		high
                        featureccus.shop
                        		unknown
                        		unknownfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0RbCSdRdU5F.exefalse
                            		high
                            http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0RbCSdRdU5F.exefalse
                              		high
                              http://ocsp.sectigo.com01RbCSdRdU5F.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://sectigo.com/CPS0RbCSdRdU5F.exefalse
                                		high
                                http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#RbCSdRdU5F.exefalse
                                  		high
                                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0RbCSdRdU5F.exefalse
                                    		high
                                    http://ocsp.sectigo.com0RbCSdRdU5F.exefalse
                                      		high
                                      http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zRbCSdRdU5F.exefalse
                                        		high
                                        http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#RbCSdRdU5F.exefalse
                                          		high
                                          http://www.autoitscript.com/autoit3/XFault.com, 00000012.00000003.1358487438.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Fault.com, 00000012.00000000.1350579090.00000000007F5000.00000002.00000001.01000000.00000008.sdmp, InnoMesh.com, 0000001A.00000000.1383465549.00000000001F5000.00000002.00000001.01000000.0000000A.sdmp, InnoMesh.com, 0000001F.00000000.1498397898.00000000001F5000.00000002.00000001.01000000.0000000A.sdmp, Namely.14.dr, Fault.com.6.dr, InnoMesh.com.18.drfalse
                                            		high
                                            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#RbCSdRdU5F.exefalse
                                              		high
                                              http://nsis.sf.net/NSIS_ErrorErrorRbCSdRdU5F.exefalse
                                                		high
                                                https://www.autoitscript.com/autoit3/Fault.com, 00000012.00000003.1358487438.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Food.14.dr, Fault.com.6.dr, InnoMesh.com.18.drfalse
                                                  		high
                                                  http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#RbCSdRdU5F.exefalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    104.21.48.1
                                                    		htardwarehu.icuUnited States
                                                    		13335CLOUDFLARENETUSfalse
                                                    188.114.97.3
                                                    		jowinjoinery.icuEuropean Union
                                                    		13335CLOUDFLARENETUSfalse
                                                    23.197.127.21
                                                    		steamcommunity.comUnited States
                                                    		20940AKAMAI-ASN1EUfalse
                                                    104.21.64.1
                                                    		bugildbett.topUnited States
                                                    		13335CLOUDFLARENETUSfalse
                                                    104.21.6.2
                                                    		skylinejo.worldUnited States
                                                    		13335CLOUDFLARENETUSfalse
                                                    149.154.167.99
                                                    		t.meUnited Kingdom
                                                    		62041TELEGRAMRUfalse

                                                    General Information

                                                    Joe Sandbox version:42.0.0 Malachite
                                                    Analysis ID:1638139
                                                    Start date and time:2025-03-14 08:48:02 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 8m 28s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Run name:Run with higher sleep bypass
                                                    Number of analysed new started processes analysed:37
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:RbCSdRdU5F.exe
                                                    renamed because original name is a hash value
                                                    Original Sample Name:dba844b00d59c245382b87ce7441a86c23df76cd517c5a291e91e76ecb8b7873.exe
                                                    Detection:MAL
                                                    Classification:mal78.expl.evad.winEXE@42/30@12/6
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 99%
                                                    • Number of executed functions: 80
                                                    • Number of non-executed functions: 252
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                    • Excluded IPs from analysis (whitelisted): 23.199.214.10
                                                    • Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ev2-ring.msedge.net, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, g.bing.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    08:49:02Task SchedulerRun new task: Messaging path: wscript s>//B "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js"
                                                    08:49:05AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    104.21.48.1345623.batGet hashmaliciousDBatLoader, FormBookBrowse
                                                    • www.shlomi.app/9rzh/
                                                    ySUB97Jq80.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • www.shlomi.app/9rzh/
                                                    hQaXUS5gt0.exeGet hashmaliciousFormBookBrowse
                                                    • www.newanthoperso.shop/3nis/
                                                    6nA8ZygZLP.exeGet hashmaliciousFormBookBrowse
                                                    • www.rbopisalive.cyou/2dxw/
                                                    UhuGtHUgHf.exeGet hashmaliciousFormBookBrowse
                                                    • www.enoughmoney.online/z9gb/
                                                    Bill_of_Lading_20250307_pdf.bat.exeGet hashmaliciousLokibotBrowse
                                                    • touxzw.ir/sccc/five/fre.php
                                                    Stormwater Works Drawings Spec.jsGet hashmaliciousFormBookBrowse
                                                    • www.lucynoel6465.shop/jgkl/
                                                    Shipment Delivery No DE0093002-PDF.exeGet hashmaliciousLokibotBrowse
                                                    • touxzw.ir/tking3/five/fre.php
                                                    Remittance_CT022024.exeGet hashmaliciousLokibotBrowse
                                                    • touxzw.ir/fix/five/fre.php
                                                    http://microsoft-sharepoint4543464633.pages.dev/index-2jc93/Get hashmaliciousHTMLPhisherBrowse
                                                    • microsoft-sharepoint4543464633.pages.dev/index-2jc93/
                                                    188.114.97.3http://sg-adh7.vv.885210.xyz/Get hashmaliciousUnknownBrowse
                                                    • sg-adh7.vv.885210.xyz/favicon.ico
                                                    http://caixadirectasecdigital.com/Get hashmaliciousHTMLPhisherBrowse
                                                    • caixadirectasecdigital.com/favicon.ico
                                                    PO NO 28950.exeGet hashmaliciousFormBookBrowse
                                                    • www.tether1.xyz/focp/
                                                    RFQ- Italy.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                    • www.xploitation.net/sqjz/
                                                    Enquiry Quote - 21834-01.exeGet hashmaliciousFormBookBrowse
                                                    • www.joeyvv.xyz/b80n/
                                                    DcbI6OM1wO.exeGet hashmaliciousLokibot, PureLog Stealer, zgRATBrowse
                                                    • ddrtot.shop/New/PWS/fre.php
                                                    kVPzMgJglW.exeGet hashmaliciousFormBookBrowse
                                                    • www.timeinsardinia.info/j4nd/
                                                    tnZI8EzSx3.exeGet hashmaliciousFormBookBrowse
                                                    • www.braposaldesk.cyou/3it7/
                                                    zzSk99EqY0.exeGet hashmaliciousFormBookBrowse
                                                    • www.braposaldesk.cyou/3it7/
                                                    hh01FRs81x.exeGet hashmaliciousFormBookBrowse
                                                    • www.serenityos.dev/dntg/?R4lxS2-P=Xi77pNpzRwduTXf13DwoRl9ks24bE/OoZO8jI9GlbI12YargANeHXOwJPk3kluRPu8INtGeEgdhJoy+Tym0P0ZbjUAApu4gNis/FV3kbZJq8JK1mGA==&LL=4FHLH

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    t.mePortals.exeGet hashmaliciousVidarBrowse
                                                    • 149.154.167.99
                                                    Portals.exeGet hashmaliciousUnknownBrowse
                                                    • 149.154.167.99
                                                    https://auth.microsites.m-atelier.cz/redir?url=https://telegra.ph/Charlotte-Reeves-03-13&data=05%7C02%7Cteat@test.com%7Cf85134ec55e24fa0741708dd623d50ea%7C22def1f7e945453d836bda7282c42443%7C0%7C0%7C638774737677482831%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ==%7C0%7C%7C%7C&sdata=AFWlQKGCYsB3szoYr99UdtJsHEuv5b0KPmvHih+dvhk=&reserved=0Get hashmaliciousUnknownBrowse
                                                    • 149.154.167.99
                                                    ngbtiladkrthgad.exeGet hashmaliciousVidarBrowse
                                                    • 149.154.167.99
                                                    CheatInjector.exe1.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 149.154.167.99
                                                    SimpleLoader v2.1.exe1.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 149.154.167.99
                                                    http://khr.lfp.mybluehost.me/intesasanpaolo/web/login.phpGet hashmaliciousUnknownBrowse
                                                    • 50.6.3.255
                                                    https://khr.lfp.mybluehost.me/intesasanpaolo/web/login.php/Get hashmaliciousUnknownBrowse
                                                    • 50.6.3.255
                                                    Launcher.exeGet hashmaliciousLummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                    • 149.154.167.99
                                                    jowinjoinery.icusetup.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 188.114.96.3
                                                    FusionLoader v2.1.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 188.114.96.3
                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 188.114.96.3
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.96.3
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 188.114.97.3
                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 188.114.97.3
                                                    nvtoaldlrg.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 188.114.97.3
                                                    kmtsefjtjha.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 188.114.97.3
                                                    legenassedk.topsetup.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 188.114.96.3
                                                    FusionLoader v2.1.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 188.114.96.3
                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 188.114.96.3
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.96.3
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 188.114.97.3
                                                    nvtoaldlrg.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 188.114.96.3
                                                    L0erlgyZ6f.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                    • 188.114.97.3
                                                    ModMenu.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 188.114.97.3
                                                    steamcommunity.comsetup.exe