Loading ...

Play interactive tourEdit tour

Windows Analysis Report jXzrIReInY

Overview

General Information

Sample Name:jXzrIReInY (renamed file extension from none to exe)
Analysis ID:528552
MD5:4ec77eb8280485764b6bc22f6cf7d57e
SHA1:85215638743eeb6800aaada5d057e96032db6906
SHA256:716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25
Tags:BABADEDA-CrypterexeUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
PE file has a writeable .text section
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Drops files with a non-matching file extension (content does not match file extension)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Checks for available system drives (often done to infect USB drives)

Classification

Process Tree

  • System is w10x64
  • jXzrIReInY.exe (PID: 7000 cmdline: "C:\Users\user\Desktop\jXzrIReInY.exe" MD5: 4EC77EB8280485764B6BC22F6CF7D57E)
    • msiexec.exe (PID: 6512 cmdline: C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI=" MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • msiexec.exe (PID: 4360 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 4344 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C5EB72BDE2B80B60A07F51ECA26339C7 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • msiexec.exe (PID: 4852 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 54779E8B78CD501470CD2E1995D98D79 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • plcd-player.exe (PID: 6620 cmdline: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe MD5: 25DDBD309BB8094229704383977C7268)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      Process Memory Space: plcd-player.exe PID: 6620JoeSecurity_UrsnifYara detected UrsnifJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        17.2.plcd-player.exe.35f94a0.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          17.2.plcd-player.exe.35f94a0.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            17.2.plcd-player.exe.2ce0000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 17.2.plcd-player.exe.2ce0000.1.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: jXzrIReInY.exeVirustotal: Detection: 52%Perma Link
              Source: jXzrIReInY.exeMetadefender: Detection: 22%Perma Link
              Source: jXzrIReInY.exeReversingLabs: Detection: 35%
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: jXzrIReInY.exeAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dllAvira: detection malicious, Label: TR/Redcap.chbhs
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exeAvira: detection malicious, Label: TR/Agent.kkknq
              Source: 17.2.plcd-player.exe.1a0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen8

              Compliance:

              barindex
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeUnpacked PE file: 17.2.plcd-player.exe.1a0000.0.unpack
              Source: jXzrIReInY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\CrashRpt License.txtJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\License.txtJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\License.txtJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\CrashRpt License.txtJump to behavior
              Source: jXzrIReInY.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: c:\Data\SkyDrive\Programming\Projects\Delimon\Delimon.Win32.IO 2013\Win32FileLibrary\obj\Release\Delimon.Win32.IO.pdb source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, Delimon.Win32.IO.dll.0.dr
              Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: jXzrIReInY.exe, decoder.dll.0.dr
              Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb @ source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr
              Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: jXzrIReInY.exe, decoder.dll.0.dr
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr
              Source: Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdbp source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb] source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr
              Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbk source: jXzrIReInY.exe
              Source: Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr
              Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: jXzrIReInY.exe
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp
              Source: Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdb source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
              Source: Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbi source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb"" source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr
              Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb0k source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdbSHA256 source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr
              Source: Binary string: d:\projects\SslCertBinding.Net\src\SslCertBinding.Net\obj\Release\SslCertBinding.Net.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
              Source: jXzrIReInY.exe, 00000000.00000000.257327545.0000000000435000.00000002.00020000.sdmp, jXzrIReInY.exe, 00000000.00000002.350001500.0000000000435000.00000002.00020000.sdmpString found in binary or memory: !7Shell32.dllShlwapi.dllbinSoftware\JavaSoft\Java Runtime Environment\Software\JavaSoft\Java Development Kit\JavaHomeFlashWindowFlashWindowExKernel32.dllGetPackagePathhttp://www.yahoo.comhttp://www.google.comTESThttp://www.example.comtin9999.tmp.partattachmentHEAD "=charsetfilename123DLDutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET*/*FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)
              Source: jXzrIReInY.exeString found in binary or memory: !LShell32.dllShlwapi.dllbinSoftware\JavaSoft\Java Runtime Environment\Software\JavaSoft\Java Development Kit\JavaHomeFlashWindowFlashWindowExKernel32.dllGetPackagePathhttp://www.yahoo.comhttp://www.google.comTESThttp://www.example.comtin9999.tmp.partattachmentHEAD "=charsetfilename123DLDutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET*/*FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://aia.startssl.com/certs/ca.crt02
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://aia.startssl.com/certs/sub.class2.code.ca.crt0#
              Source: jXzrIReInY.exe, 00000000.00000003.312512625.0000000005C19000.00000004.00000001.sdmp, plcd-player.exe, 00000011.00000002.527502141.000000000040A000.00000002.00020000.sdmpString found in binary or memory: http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4
              Source: jXzrIReInY.exe, 00000000.00000003.312512625.0000000005C19000.00000004.00000001.sdmp, plcd-player.exe, 00000011.00000002.527502141.000000000040A000.00000002.00020000.sdmpString found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
              Source: jXzrIReInY.exe, 00000000.00000003.312512625.0000000005C19000.00000004.00000001.sdmp, plcd-player.exe, 00000011.00000002.527502141.000000000040A000.00000002.00020000.sdmpString found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: jXzrIReInY.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: jXzrIReInY.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
              Source: jXzrIReInY.exe, 00000000.00000002.351250737.0000000003B7F000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348127021.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://crl.globalsign.net/root.crl0
              Source: jXzrIReInY.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
              Source: jXzrIReInY.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://crl.startssl.com/crtc2-crl.crl0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://crl.startssl.com/sfsca.crl0C
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: jXzrIReInY.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
              Source: jXzrIReInY.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
              Source: jXzrIReInY.exe, 00000000.00000003.266930196.0000000001624000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.266967151.0000000001624000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/j
              Source: jXzrIReInY.exe, 00000000.00000002.351250737.0000000003B7F000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348127021.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: jXzrIReInY.exe, 00000000.00000002.351250737.0000000003B7F000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348127021.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: jXzrIReInY.exe, 00000000.00000003.266901842.0000000001600000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e63855f36c428
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpString found in binary or memory: http://icu-project.org
              Source: jXzrIReInY.exe, 00000000.00000003.267465626.0000000001622000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.267660560.000000000163F000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.266930196.0000000001624000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.266967151.0000000001624000.00000004.00000001.sdmpString found in binary or memory: http://locdl.windowsupdate.com/
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://mybusinesscatalog.com0
              Source: jXzrIReInY.exe, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://ocsp.comodoca.com0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: http://ocsp.comodoca.com0B
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://ocsp.digicert.com0O
              Source: jXzrIReInY.exeString found in binary or memory: http://ocsp.sectigo.com0
              Source: jXzrIReInY.exeString found in binary or memory: http://ocsp.sectigo.com0)
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://ocsp.startssl.com/ca00
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://ocsp.startssl.com/sub/class2/code/ca0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drString found in binary or memory: http://t2.symcb.com0
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drString found in binary or memory: http://tl.symcb.com/tl.crl0
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drString found in binary or memory: http://tl.symcb.com/tl.crt0
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drString found in binary or memory: http://tl.symcd.com0&
              Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmpString found in binary or memory: http://www.MyBusinessCatalog.com
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmpString found in binary or memory: http://www.ecb.int/vocabulary/2002-08-01/eurofxref
              Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmpString found in binary or memory: http://www.gesmes.org/xml/2002-08-01
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://www.openssl.org/V
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://www.startssl.com/0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: http://www.startssl.com/policy.pdf0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.drString found in binary or memory: https://aka.ms/azsdkvalueprop.
              Source: currencysystem5.json.0.drString found in binary or memory: https://currencysystem.com
              Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmpString found in binary or memory: https://currencysystem.com/gfx/pub/script-button-88x31.gif
              Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp, currencysystem5.json.0.drString found in binary or memory: https://currencysystem.com/gfx/pub/script-button-88x31.png
              Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmpString found in binary or memory: https://currencysystem.com/gfx/pub/script-icon-16x16.gif
              Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp, currencysystem5.json.0.drString found in binary or memory: https://currencysystem.com/gfx/pub/script-icon-16x16.png
              Source: plcd-player.exe, 00000011.00000002.530727824.00000000031EB000.00000004.00000010.sdmpString found in binary or memory: https://get.u
              Source: plcd-player.exe, 00000011.00000002.529360023.0000000002C6A000.00000004.00000001.sdmpString found in binary or memory: https://get.updates.avast.cn/
              Source: plcd-player.exe, 00000011.00000002.529180964.0000000002BC2000.00000004.00000001.sdmpString found in binary or memory: https://get.updates.avast.cn/$$
              Source: plcd-player.exe, 00000011.00000002.529360023.0000000002C6A000.00000004.00000001.sdmpString found in binary or memory: https://get.updates.avast.cn/SN
              Source: plcd-player.exe, 00000011.00000002.529180964.0000000002BC2000.00000004.00000001.sdmpString found in binary or memory: https://get.updates.avast.cn/rentVersion
              Source: plcd-player.exe, 00000011.00000002.529360023.0000000002C6A000.00000004.00000001.sdmpString found in binary or memory: https://get.updates.avast.cn/sreamble/g9_2FKpoNdUnXGannE6/i8VP6bKIH0KEVZxtH_2Fnm/ZbHMSZIAuG_2F/S_2FZ
              Source: jXzrIReInY.exe, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: https://sectigo.com/CPS0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.drString found in binary or memory: https://secure.comodo.com/CPS0L
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drString found in binary or memory: https://www.advancedinstaller.com
              Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: https://www.globalsign.com/repository/0
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.drString found in binary or memory: https://www.globalsign.com/repository/03
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.drString found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Certificates
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.drString found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Keys
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.drString found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Secrets
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drString found in binary or memory: https://www.thawte.com/cps0/
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.drString found in binary or memory: https://www.thawte.com/repository0W
              Source: unknownDNS traffic detected: queries for: get.updates.avast.cn
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001C03A0 RtlEnterCriticalSection,RtlLeaveCriticalSection,Sleep,select,__WSAFDIsSet,WSARecv,WSAGetLastError,RtlLeaveCriticalSection,17_2_001C03A0

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: plcd-player.exe PID: 6620, type: MEMORYSTR
              Source: Yara matchFile source: 17.2.plcd-player.exe.35f94a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.plcd-player.exe.35f94a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.plcd-player.exe.2ce0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmp, type: MEMORY
              Source: plcd-player.exe, 00000011.00000002.528124057.00000000010CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              E-Banking Fraud:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: plcd-player.exe PID: 6620, type: MEMORYSTR
              Source: Yara matchFile source: 17.2.plcd-player.exe.35f94a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.plcd-player.exe.35f94a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.plcd-player.exe.2ce0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmp, type: MEMORY

              System Summary:

              barindex
              PE file has a writeable .text sectionShow sources
              Source: plcd-player.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: plcd-player.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Writes or reads registry keys via WMIShow sources
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Writes registry values via WMIShow sources
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: jXzrIReInY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
              Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI9CCF.tmpJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3e96f3.msiJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_03BC579B0_3_03BC579B
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_03BC579B0_3_03BC579B
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CEAFC017_2_02CEAFC0
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CE7FBE17_2_02CE7FBE
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CE836E17_2_02CE836E
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001E013017_2_001E0130
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_003574B917_2_003574B9
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_003644AF17_2_003644AF
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_0037348317_2_00373483
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_003735A317_2_003735A3
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001D75D017_2_001D75D0
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001FB96017_2_001FB960
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001CAAB017_2_001CAAB0
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001D6AF017_2_001D6AF0
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_00205D7017_2_00205D70
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001DAF3017_2_001DAF30
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001A1C90 GetProcAddress,NtCreateSection,memset,17_2_001A1C90
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001A1703 NtMapViewOfSection,17_2_001A1703
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001A19A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,17_2_001A19A0
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CE9A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,17_2_02CE9A0F
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CEB1E5 NtQueryVirtualMemory,17_2_02CEB1E5
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePrereq.dllF vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000000.257395816.000000000049D000.00000002.00020000.sdmpBinary or memory string: OriginalFileNameplcd-player.exe> vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameicuio58.dll vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUtilities_HelperlL vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamelibeay32.dllH vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMicrosoft.Azure.KeyVault.Core.dll> vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSslCertBinding.Net.dllH vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamessleay32.dllH vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Tasks.dllP vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJDesktop.tools vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAWSSDK.SimpleDB.dllb! vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDelimon.Win32.IO.dllD vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameICSharpCode.SharpZipLib.dll8 vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamelzmaextractor.dllF vs jXzrIReInY.exe
              Source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs jXzrIReInY.exe
              Source: jXzrIReInY.exeBinary or memory string: OriginalFileNameplcd-player.exe> vs jXzrIReInY.exe
              Source: jXzrIReInY.exeBinary or memory string: OriginalFilenameDecoder.dllF vs jXzrIReInY.exe
              Source: jXzrIReInY.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: plcd-player.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: plcd-player.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: C:\Users\user\Desktop\jXzrIReInY.exeSection loaded: lpk.dllJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeSection loaded: tsappcmp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeSection loaded: libftl2.dllJump to behavior
              Source: Delimon.Win32.IO.dll.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: jXzrIReInY.exeVirustotal: Detection: 52%
              Source: jXzrIReInY.exeMetadefender: Detection: 22%
              Source: jXzrIReInY.exeReversingLabs: Detection: 35%
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile read: C:\Users\user\Desktop\jXzrIReInY.exeJump to behavior
              Source: jXzrIReInY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\jXzrIReInY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\jXzrIReInY.exe "C:\Users\user\Desktop\jXzrIReInY.exe"
              Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C5EB72BDE2B80B60A07F51ECA26339C7 C
              Source: C:\Users\user\Desktop\jXzrIReInY.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI="
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 54779E8B78CD501470CD2E1995D98D79
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
              Source: C:\Users\user\Desktop\jXzrIReInY.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI="Jump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C5EB72BDE2B80B60A07F51ECA26339C7 CJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 54779E8B78CD501470CD2E1995D98D79Jump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) ProjectJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user~1\AppData\Local\Temp\shi1C.tmpJump to behavior
              Source: classification engineClassification label: mal100.troj.evad.winEXE@10/70@1/0
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: System.Threading.Tasks.dll.0.dr, Runtime.CompilerServices/AsyncMethodTaskCache<TResult>.csTask registration methods: 'CreateCache', 'CreateCompleted'
              Source: System.Threading.Tasks.dll.0.dr, Runtime.CompilerServices/AsyncTaskMethodBuilder<TResult>.csTask registration methods: 'Create'
              Source: System.Threading.Tasks.dll.0.dr, Runtime.CompilerServices/AsyncTaskMethodBuilder.csTask registration methods: 'Create'
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CE8F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,17_2_02CE8F1B
              Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmpBinary or memory string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb
              Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
              Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
              Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
              Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Encryption/ZipAESTransform.csCryptographic APIs: 'TransformBlock'
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: jXzrIReInY.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: jXzrIReInY.exeStatic file information: File size 7840296 > 1048576
              Source: jXzrIReInY.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x183c00
              Source: jXzrIReInY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: jXzrIReInY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: jXzrIReInY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: jXzrIReInY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: jXzrIReInY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: jXzrIReInY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: jXzrIReInY.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: jXzrIReInY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: c:\Data\SkyDrive\Programming\Projects\Delimon\Delimon.Win32.IO 2013\Win32FileLibrary\obj\Release\Delimon.Win32.IO.pdb source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, Delimon.Win32.IO.dll.0.dr
              Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: jXzrIReInY.exe, decoder.dll.0.dr
              Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb @ source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr
              Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: jXzrIReInY.exe, decoder.dll.0.dr
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr
              Source: Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdbp source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb] source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr
              Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbk source: jXzrIReInY.exe
              Source: Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr
              Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: jXzrIReInY.exe
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp
              Source: Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdb source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
              Source: Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbi source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb"" source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr
              Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb0k source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdbSHA256 source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr
              Source: Binary string: d:\projects\SslCertBinding.Net\src\SslCertBinding.Net\obj\Release\SslCertBinding.Net.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
              Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp
              Source: jXzrIReInY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: jXzrIReInY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: jXzrIReInY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: jXzrIReInY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: jXzrIReInY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation:

              barindex
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeUnpacked PE file: 17.2.plcd-player.exe.1a0000.0.unpack
              Detected unpacking (changes PE section rights)Show sources
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeUnpacked PE file: 17.2.plcd-player.exe.1a0000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_03BCFF1C push eax; retn 0006h0_3_03BCFF1D
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_03BCFF1C push eax; retn 0006h0_3_03BCFF1D
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_03BCFF1C push eax; retn 0006h0_3_03BCFF1D
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_03BCFF1C push eax; retn 0006h0_3_03BCFF1D
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_015E6090 push FFFFFFB2h; ret 0_3_015E616D
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_015EA480 pushad ; ret 0_3_015EA481
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_015DB03B push FFFFFF96h; ret 0_3_015DB265
              Source: C:\Users\user\Desktop\jXzrIReInY.exeCode function: 0_3_015EA2AA pushad ; ret 0_3_015EA2C1
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CEAC00 push ecx; ret 17_2_02CEAC09
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CEE62F push edi; retf 17_2_02CEE630
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CEAFAF push ecx; ret 17_2_02CEAFBF
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CEE9AC push 0B565A71h; ret 17_2_02CEE9B1
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_00385731 push ecx; ret 17_2_00385744
              Source: shi1C.tmp.0.drStatic PE information: section name: .wpp_sf
              Source: shi1C.tmp.0.drStatic PE information: section name: .didat
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001A1264 LoadLibraryA,GetProcAddress,17_2_001A1264
              Source: decoder.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x378b8
              Source: lcms-5.0.dll.4.drStatic PE information: real checksum: 0x4a44af should be: 0x4c891f
              Source: lcms-5.0.dll.0.drStatic PE information: real checksum: 0x4a44af should be: 0x4c891f
              Source: jXzrIReInY.exeStatic PE information: real checksum: 0x7889d0 should be: 0x786e21
              Source: shi1C.tmp.0.drStatic PE information: 0x72F9C735 [Sun Feb 16 01:34:45 2031 UTC]
              Source: initial sampleStatic PE information: section name: .text entropy: 7.27378716859
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\mlJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\mlJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Local\Temp\shi1C.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\decoder.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA6F5.tmpJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA368.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\lcms-5.0.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Local\Temp\MSI1B4.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Local\Temp\MSI4D2.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9CCF.tmpJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exeJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA5CB.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA23E.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA463.tmpJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9CCF.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA5CB.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA6F5.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA23E.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA368.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA463.tmpJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\CrashRpt License.txtJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\License.txtJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\License.txtJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\CrashRpt License.txtJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: plcd-player.exe PID: 6620, type: MEMORYSTR
              Source: Yara matchFile source: 17.2.plcd-player.exe.35f94a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.plcd-player.exe.35f94a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.plcd-player.exe.2ce0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\jXzrIReInY.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exe TID: 7100Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 6676Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 1404Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 2192Thread sleep count: 33 > 30Jump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi1C.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA5CB.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA23E.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA368.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dllJump to dropped file
              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dllJump to dropped file
              Source: C:\Users\user\Desktop\jXzrIReInY.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dllJump to dropped file
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeThread delayed: delay time: 240000Jump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeThread delayed: delay time: 30000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeThread delayed: delay time: 240000Jump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\jXzrIReInY.exeFile Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: MSIA463.tmp.4.drBinary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
              Source: jXzrIReInY.exe, jXzrIReInY.exe, 00000000.00000003.348852801.00000000015DB000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.349301089.00000000015DF000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.304222076.00000000015DA000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000002.351250737.0000000003B7F000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.349152083.00000000015FE000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.266915772.0000000001612000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.349183450.0000000001603000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348127021.0000000003B71000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.349121259.00000000015DE000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000002.350825569.0000000001613000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000002.350733762.00000000015E1000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.304259450.00000000015FE000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348370669.00000000015DB000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348413205.00000000015FE000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
              Source: plcd-player.exe, 00000011.00000002.528124057.00000000010CA000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_6DA76FED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_6DA76FED
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_001A1264 LoadLibraryA,GetProcAddress,17_2_001A1264
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_00202090 GetProcessHeap,RtlAllocateHeap,17_2_00202090
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_6DA85BE9 mov eax, dword ptr fs:[00000030h]17_2_6DA85BE9
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_00355B18 mov eax, dword ptr fs:[00000030h]17_2_00355B18
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_00366DDC mov eax, dword ptr fs:[00000030h]17_2_00366DDC
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_0039AC46 mov eax, dword ptr fs:[00000030h]17_2_0039AC46
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_6DA76FED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_6DA76FED
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_6DA67D41 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_6DA67D41
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_00347C2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_00347C2C
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_00359C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00359C76
              Source: C:\Users\user\Desktop\jXzrIReInY.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI="
              Source: C:\Users\user\Desktop\jXzrIReInY.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI="Jump to behavior
              Source: plcd-player.exe, 00000011.00000002.528977634.0000000001790000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
              Source: plcd-player.exe, 00000011.00000002.528977634.0000000001790000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: plcd-player.exe, 00000011.00000002.528977634.0000000001790000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: plcd-player.exe, 00000011.00000002.528977634.0000000001790000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\jXzrIReInY.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,17_2_0036E1C8
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: EnumSystemLocalesW,17_2_0036E46A
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: EnumSystemLocalesW,17_2_0036E4B5
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: EnumSystemLocalesW,17_2_0036E550
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: EnumSystemLocalesW,17_2_0036655F
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,17_2_0036E954
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: GetLocaleInfoW,17_2_00366AC1
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,17_2_0036EB29
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exeCode function: 17_2_02CE7A2E cpuid 17_2_02CE7A2E
              Source: C:\Users\user\Desktop\jXzrIReInY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe