Edit tour

Windows Analysis Report
nzLoHpgAln.exe

Overview

General Information

Sample name:	nzLoHpgAln.exe renamed because original name is a hash value
Original sample name:	9f417a8434a3ea2932b0a23ebae7e7fa.exe
Analysis ID:	1583001
MD5:	9f417a8434a3ea2932b0a23ebae7e7fa
SHA1:	fcf9b06b8bbd53e0b230c04a99bcc4c8f3bcec2f
SHA256:	9632b0c0e242cef53b06a4e52dd154620184dded677e0a11be162278d8352b4e
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

nzLoHpgAln.exe (PID: 6176 cmdline: "C:\Users\user\Desktop\nzLoHpgAln.exe" MD5: 9F417A8434A3EA2932B0A23EBAE7E7FA)

powershell.exe (PID: 6660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6348 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7472 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 4296 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nzLoHpgAln.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\nzLoHpgAln.exe" MD5: 9F417A8434A3EA2932B0A23EBAE7E7FA)

conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wZWwzQVEakJvEU.exe (PID: 7408 cmdline: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe MD5: 9F417A8434A3EA2932B0A23EBAE7E7FA)

schtasks.exe (PID: 7680 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpE7EE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wZWwzQVEakJvEU.exe (PID: 7732 cmdline: "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe" MD5: 9F417A8434A3EA2932B0A23EBAE7E7FA)

conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.222.57.76:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x13b5a:$a4: get_ScannedWallets 0x129b8:$a5: get_ScanTelegram 0x137de:$a6: get_ScanGeckoBrowsersPaths 0x115fa:$a7: <Processes>k__BackingField 0xf50c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10f2e:$a9: <ScanFTP>k__BackingField
00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x17b3a:$a4: get_ScannedWallets 0x2f75a:$a4: get_ScannedWallets 0x16998:$a5: get_ScanTelegram 0x2e5b8:$a5: get_ScanTelegram 0x177be:$a6: get_ScanGeckoBrowsersPaths 0x2f3de:$a6: get_ScanGeckoBrowsersPaths 0x155da:$a7: <Processes>k__BackingField 0x2d1fa:$a7: <Processes>k__BackingField 0x134ec:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x2b10c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x14f0e:$a9: <ScanFTP>k__BackingField 0x2cb2e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x24f1b2:$a4: get_ScannedWallets 0x266fd2:$a4: get_ScannedWallets 0x27ebf2:$a4: get_ScannedWallets 0x24e010:$a5: get_ScanTelegram 0x265e30:$a5: get_ScanTelegram 0x27da50:$a5: get_ScanTelegram 0x24ee36:$a6: get_ScanGeckoBrowsersPaths 0x266c56:$a6: get_ScanGeckoBrowsersPaths 0x27e876:$a6: get_ScanGeckoBrowsersPaths 0x24cc52:$a7: <Processes>k__BackingField 0x264a72:$a7: <Processes>k__BackingField 0x27c692:$a7: <Processes>k__BackingField 0x24ab64:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x262984:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x27a5a4:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x24c586:$a9: <ScanFTP>k__BackingField 0x2643a6:$a9: <ScanFTP>k__BackingField 0x27bfc6:$a9: <ScanFTP>k__BackingField
Process Memory Space: nzLoHpgAln.exe PID: 6176	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nzLoHpgAln.exe PID: 6176	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: nzLoHpgAln.exe PID: 6176	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: nzLoHpgAln.exe PID: 6176	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x3903e:$a4: get_ScannedWallets 0x380f4:$a5: get_ScanTelegram 0x38d31:$a6: get_ScanGeckoBrowsersPaths 0x36fd3:$a7: <Processes>k__BackingField 0x345c2:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x36907:$a9: <ScanFTP>k__BackingField
Process Memory Space: nzLoHpgAln.exe PID: 7312	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nzLoHpgAln.exe PID: 7312	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: nzLoHpgAln.exe PID: 7312	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x13f803:$a4: get_ScannedWallets 0x13e6aa:$a5: get_ScanTelegram 0x13f48c:$a6: get_ScanGeckoBrowsersPaths 0x13d33d:$a7: <Processes>k__BackingField 0x13a870:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x13cc71:$a9: <ScanFTP>k__BackingField
Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x63a0:$a4: get_ScannedWallets 0x79edc:$a4: get_ScannedWallets 0x5247:$a5: get_ScanTelegram 0x78d83:$a5: get_ScanTelegram 0x6029:$a6: get_ScanGeckoBrowsersPaths 0x79b65:$a6: get_ScanGeckoBrowsersPaths 0x3eda:$a7: <Processes>k__BackingField 0x77a16:$a7: <Processes>k__BackingField 0x140d:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x74f49:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x380e:$a9: <ScanFTP>k__BackingField 0x7734a:$a9: <ScanFTP>k__BackingField
Process Memory Space: wZWwzQVEakJvEU.exe PID: 7732	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wZWwzQVEakJvEU.exe PID: 7732	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
0.2.nzLoHpgAln.exe.3eccbe8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nzLoHpgAln.exe.3eccbe8.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.nzLoHpgAln.exe.3eccbe8.2.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.nzLoHpgAln.exe.3eccbe8.2.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.nzLoHpgAln.exe.3eccbe8.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
8.2.nzLoHpgAln.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.nzLoHpgAln.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
8.2.nzLoHpgAln.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
8.2.nzLoHpgAln.exe.400000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
8.2.nzLoHpgAln.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b1ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a048:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2ae6e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28c8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26b9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x285be:$a9: <ScanFTP>k__BackingField
10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x295eb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x2961f:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x29648:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x2b887:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x2ae03:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x2b14b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x2aa81:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x2826f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x20358:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x20d38:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet
10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b3ea:$a4: get_ScannedWallets 0x4300a:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a248:$a5: get_ScanTelegram 0x41e68:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b06e:$a6: get_ScanGeckoBrowsersPaths 0x42c8e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28e8a:$a7: <Processes>k__BackingField 0x40aaa:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26d9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3e9bc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287be:$a9: <ScanFTP>k__BackingField 0x403de:$a9: <ScanFTP>k__BackingField
0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x297eb:$gen01: ChromeGetRoamingName 0x4140b:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x2981f:$gen02: ChromeGetLocalName 0x4143f:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x29848:$gen03: get_UserDomainName 0x41468:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x2ba87:$gen04: get_encrypted_key 0x436a7:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x2b003:$gen05: browserPaths 0x42c23:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x2b34b:$gen06: GetBrowsers 0x42f6b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x2ac81:$gen07: get_InstalledInputLanguages 0x428a1:$gen07: get_InstalledInputLanguages
0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x3feca:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x43581:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x38b70:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x42ab9:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers
0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0xcc20a:$a4: get_ScannedWallets 0xe402a:$a4: get_ScannedWallets 0xfbc4a:$a4: get_ScannedWallets 0xcb068:$a5: get_ScanTelegram 0xe2e88:$a5: get_ScanTelegram 0xfaaa8:$a5: get_ScanTelegram 0xcbe8e:$a6: get_ScanGeckoBrowsersPaths 0xe3cae:$a6: get_ScanGeckoBrowsersPaths 0xfb8ce:$a6: get_ScanGeckoBrowsersPaths 0xc9caa:$a7: <Processes>k__BackingField 0xe1aca:$a7: <Processes>k__BackingField 0xf96ea:$a7: <Processes>k__BackingField 0xc7bbc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xdf9dc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xf75fc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xc95de:$a9: <ScanFTP>k__BackingField 0xe13fe:$a9: <ScanFTP>k__BackingField 0xf901e:$a9: <ScanFTP>k__BackingField
0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xca60b:$gen01: ChromeGetRoamingName 0xe242b:$gen01: ChromeGetRoamingName 0xfa04b:$gen01: ChromeGetRoamingName 0xca63f:$gen02: ChromeGetLocalName 0xe245f:$gen02: ChromeGetLocalName 0xfa07f:$gen02: ChromeGetLocalName 0xca668:$gen03: get_UserDomainName 0xe2488:$gen03: get_UserDomainName 0xfa0a8:$gen03: get_UserDomainName 0xcc8a7:$gen04: get_encrypted_key 0xe46c7:$gen04: get_encrypted_key 0xfc2e7:$gen04: get_encrypted_key 0xcbe23:$gen05: browserPaths 0xe3c43:$gen05: browserPaths 0xfb863:$gen05: browserPaths 0xcc16b:$gen06: GetBrowsers 0xe3f8b:$gen06: GetBrowsers 0xfbbab:$gen06: GetBrowsers 0xcbaa1:$gen07: get_InstalledInputLanguages 0xe38c1:$gen07: get_InstalledInputLanguages 0xfb4e1:$gen07: get_InstalledInputLanguages
0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xc90ca:$u7: RunPE 0xe0eea:$u7: RunPE 0xf8b0a:$u7: RunPE 0xcc781:$u8: DownloadAndEx 0xe45a1:$u8: DownloadAndEx 0xfc1c1:$u8: DownloadAndEx 0xc1d70:$pat14: , CommandLine: 0xd9b90:$pat14: , CommandLine: 0xf17b0:$pat14: , CommandLine: 0xcbcb9:$v2_1: ListOfProcesses 0xe3ad9:$v2_1: ListOfProcesses 0xfb6f9:$v2_1: ListOfProcesses 0xc92cb:$v2_2: get_ScanVPN 0xc936e:$v2_2: get_ScanFTP 0xca05e:$v2_2: get_ScanDiscord 0xcb04c:$v2_2: get_ScanSteam 0xcb068:$v2_2: get_ScanTelegram 0xcb10e:$v2_2: get_ScanScreen 0xcbe56:$v2_2: get_ScanChromeBrowsersPaths 0xcbe8e:$v2_2: get_ScanGeckoBrowsersPaths 0xcc149:$v2_2: get_ScanBrowsers
0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x6fbea:$a4: get_ScannedWallets 0x87a0a:$a4: get_ScannedWallets 0x9f62a:$a4: get_ScannedWallets 0x6ea48:$a5: get_ScanTelegram 0x86868:$a5: get_ScanTelegram 0x9e488:$a5: get_ScanTelegram 0x6f86e:$a6: get_ScanGeckoBrowsersPaths 0x8768e:$a6: get_ScanGeckoBrowsersPaths 0x9f2ae:$a6: get_ScanGeckoBrowsersPaths 0x6d68a:$a7: <Processes>k__BackingField 0x854aa:$a7: <Processes>k__BackingField 0x9d0ca:$a7: <Processes>k__BackingField 0x6b59c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x833bc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x9afdc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x6cfbe:$a9: <ScanFTP>k__BackingField 0x84dde:$a9: <ScanFTP>k__BackingField 0x9c9fe:$a9: <ScanFTP>k__BackingField
0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x6dfeb:$gen01: ChromeGetRoamingName 0x85e0b:$gen01: ChromeGetRoamingName 0x9da2b:$gen01: ChromeGetRoamingName 0x6e01f:$gen02: ChromeGetLocalName 0x85e3f:$gen02: ChromeGetLocalName 0x9da5f:$gen02: ChromeGetLocalName 0x6e048:$gen03: get_UserDomainName 0x85e68:$gen03: get_UserDomainName 0x9da88:$gen03: get_UserDomainName 0x70287:$gen04: get_encrypted_key 0x880a7:$gen04: get_encrypted_key 0x9fcc7:$gen04: get_encrypted_key 0x6f803:$gen05: browserPaths 0x87623:$gen05: browserPaths 0x9f243:$gen05: browserPaths 0x6fb4b:$gen06: GetBrowsers 0x8796b:$gen06: GetBrowsers 0x9f58b:$gen06: GetBrowsers 0x6f481:$gen07: get_InstalledInputLanguages 0x872a1:$gen07: get_InstalledInputLanguages 0x9eec1:$gen07: get_InstalledInputLanguages
0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x6caaa:$u7: RunPE 0x848ca:$u7: RunPE 0x9c4ea:$u7: RunPE 0x70161:$u8: DownloadAndEx 0x87f81:$u8: DownloadAndEx 0x9fba1:$u8: DownloadAndEx 0x65750:$pat14: , CommandLine: 0x7d570:$pat14: , CommandLine: 0x95190:$pat14: , CommandLine: 0x6f699:$v2_1: ListOfProcesses 0x874b9:$v2_1: ListOfProcesses 0x9f0d9:$v2_1: ListOfProcesses 0x6ccab:$v2_2: get_ScanVPN 0x6cd4e:$v2_2: get_ScanFTP 0x6da3e:$v2_2: get_ScanDiscord 0x6ea2c:$v2_2: get_ScanSteam 0x6ea48:$v2_2: get_ScanTelegram 0x6eaee:$v2_2: get_ScanScreen 0x6f836:$v2_2: get_ScanChromeBrowsersPaths 0x6f86e:$v2_2: get_ScanGeckoBrowsersPaths 0x6fb29:$v2_2: get_ScanBrowsers
Click to see the 40 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nzLoHpgAln.exe", ParentImage: C:\Users\user\Desktop\nzLoHpgAln.exe, ParentProcessId: 6176, ParentProcessName: nzLoHpgAln.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe", ProcessId: 6660, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpE7EE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpE7EE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe, ParentImage: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe, ParentProcessId: 7408, ParentProcessName: wZWwzQVEakJvEU.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpE7EE.tmp", ProcessId: 7680, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\nzLoHpgAln.exe", ParentImage: C:\Users\user\Desktop\nzLoHpgAln.exe, ParentProcessId: 6176, ParentProcessName: nzLoHpgAln.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp", ProcessId: 4296, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nzLoHpgAln.exe", ParentImage: C:\Users\user\Desktop\nzLoHpgAln.exe, ParentProcessId: 6176, ParentProcessName: nzLoHpgAln.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe", ProcessId: 6660, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\nzLoHpgAln.exe", ParentImage: C:\Users\user\Desktop\nzLoHpgAln.exe, ParentProcessId: 6176, ParentProcessName: nzLoHpgAln.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp", ProcessId: 4296, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T12:32:10.718870+0100	2045000	1	Malware Command and Control Activity Detected	185.222.57.76	55615	192.168.2.4	49736	TCP
2025-01-01T12:32:20.107021+0100	2045000	1	Malware Command and Control Activity Detected	185.222.57.76	55615	192.168.2.4	49739	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T12:32:13.487839+0100	2046056	1	A Network Trojan was detected	185.222.57.76	55615	192.168.2.4	49736	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T12:32:13.487839+0100	2045001	1	Malware Command and Control Activity Detected	185.222.57.76	55615	192.168.2.4	49736	TCP
2025-01-01T12:32:23.023775+0100	2045001	1	Malware Command and Control Activity Detected	185.222.57.76	55615	192.168.2.4	49739	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T12:32:05.708973+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	49736	185.222.57.76	55615	TCP
2025-01-01T12:32:14.896477+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	49739	185.222.57.76	55615	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T12:32:10.927753+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	49736	185.222.57.76	55615	TCP
2025-01-01T12:32:20.318381+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	49739	185.222.57.76	55615	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T12:32:15.419091+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.4	49741	185.222.57.76	55615	TCP
2025-01-01T12:32:24.903101+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.4	49749	185.222.57.76	55615	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T12:32:13.891111+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	49738	185.222.57.76	55615	TCP
2025-01-01T12:32:23.435176+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	49748	185.222.57.76	55615	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T12:32:05.708973+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.4	49736	185.222.57.76	55615	TCP
2025-01-01T12:32:14.896477+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.4	49739	185.222.57.76	55615	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["185.222.57.76:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: nzLoHpgAln.exe	ReversingLabs: Detection: 63%
Source: nzLoHpgAln.exe	Virustotal: Detection: 56%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: nzLoHpgAln.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Unpacked PE file: 0.2.nzLoHpgAln.exe.40000.0.unpack

Source: nzLoHpgAln.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: nzLoHpgAln.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_048FD088
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_048FAF2C
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 4x nop then jmp 09F4ABF9h	0_2_09F4AE83
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 4x nop then jmp 0A049F11h	10_2_0A04A19B

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.4:49736 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49736 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.4:49739 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49739 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:49738 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.4:49741 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 185.222.57.76:55615 -> 192.168.2.4:49736
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49736 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 185.222.57.76:55615 -> 192.168.2.4:49736
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 185.222.57.76:55615 -> 192.168.2.4:49736
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:49748 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 185.222.57.76:55615 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49739 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.4:49749 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 185.222.57.76:55615 -> 192.168.2.4:49739

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.222.57.76:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49749

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 185.222.57.76:55615

Source: global traffic

TCP traffic: 192.168.2.4:61325 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.57.76:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.57.76:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.57.76:55615Content-Length: 953964Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.57.76:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.57.76:55615Content-Length: 953956Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.57.76:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.57.76:55615Content-Length: 953783Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.57.76:55615Content-Length: 953775Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.57.76:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.000000000305C000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003533000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.57.76:5
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003311000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.57.76:55615
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.57.76:55615/
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.57.76:55615t-
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: nzLoHpgAln.exe, 00000000.00000002.1751633310.0000000002732000.00000004.00000800.00020000.00000000.sdmp, nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1849378613.0000000002C39000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003311000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.000000000305C000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003533000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003311000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.00000000032D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.00000000032D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: nzLoHpgAln.exe, nzLoHpgAln.exe, 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: nzLoHpgAln.exe, nzLoHpgAln.exe, 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: nzLoHpgAln.exe, nzLoHpgAln.exe, 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: nzLoHpgAln.exe PID: 6176, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: nzLoHpgAln.exe PID: 7312, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008107D4 NtQueryInformationProcess,		0_2_008107D4
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB07D4 NtQueryInformationProcess,		10_2_00FB07D4

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00812820	0_2_00812820
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008114D0	0_2_008114D0
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00811DA0	0_2_00811DA0
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00819D28	0_2_00819D28
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008186A9	0_2_008186A9
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008158A9	0_2_008158A9
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008158B8	0_2_008158B8
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008108D1	0_2_008108D1
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00818960	0_2_00818960
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00818970	0_2_00818970
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00815AF0	0_2_00815AF0
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00815D80	0_2_00815D80
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008146A9	0_2_008146A9
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008146B8	0_2_008146B8
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008117D0	0_2_008117D0
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00815F50	0_2_00815F50
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_048FA41A	0_2_048FA41A
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_048FA428	0_2_048FA428
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_048F847C	0_2_048F847C
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09C32030	0_2_09C32030
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09C32020	0_2_09C32020
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F4C480	0_2_09F4C480
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F44BE8	0_2_09F44BE8
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F44374	0_2_09F44374
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F462C0	0_2_09F462C0
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F447B0	0_2_09F447B0
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F45E88	0_2_09F45E88
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_02BEE7B0	8_2_02BEE7B0
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_02BEDC90	8_2_02BEDC90
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_06714468	8_2_06714468
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_06719628	8_2_06719628
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_06711210	8_2_06711210
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_06713320	8_2_06713320
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_0671D108	8_2_0671D108
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_0671DD00	8_2_0671DD00
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB2820	10_2_00FB2820
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB14D0	10_2_00FB14D0
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB1D99	10_2_00FB1D99
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB9D28	10_2_00FB9D28
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB86A9	10_2_00FB86A9
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB08D1	10_2_00FB08D1
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB58B8	10_2_00FB58B8
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB58A9	10_2_00FB58A9
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB8970	10_2_00FB8970
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB8960	10_2_00FB8960
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB5AF0	10_2_00FB5AF0
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB5D80	10_2_00FB5D80
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB46B8	10_2_00FB46B8
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB46A9	10_2_00FB46A9
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB17D0	10_2_00FB17D0
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB5F50	10_2_00FB5F50
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_09D22030	10_2_09D22030
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_09D22020	10_2_09D22020
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_0A04BAB0	10_2_0A04BAB0
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_0A041807	10_2_0A041807
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_0A046290	10_2_0A046290
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_0A044BB8	10_2_0A044BB8
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_0A0466C8	10_2_0A0466C8
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_0A044FF0	10_2_0A044FF0
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_014AE7B0	14_2_014AE7B0
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_014ADC90	14_2_014ADC90
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_06A99628	14_2_06A99628
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_06A94468	14_2_06A94468
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_06A91210	14_2_06A91210
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_06A93311	14_2_06A93311
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_06A9DD00	14_2_06A9DD00
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_06A9CD11	14_2_06A9CD11
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_06A9D108	14_2_06A9D108

Source: nzLoHpgAln.exe, 00000000.00000002.1751633310.0000000002814000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1751633310.000000000240E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1764633951.00000000095DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVGHA.exe, vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1754649711.0000000003C53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000000.1656400006.0000000000042000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVGHA.exe, vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1764256150.00000000093C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1764433116.0000000009574000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1765355652.0000000009EC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1750655160.000000000084E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002DC2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefirefox.exe0 vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\080904B0\\OriginalFilename vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsedge.exe> vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe	Binary or memory string: OriginalFilenameVGHA.exe, vs nzLoHpgAln.exe

Source: nzLoHpgAln.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: nzLoHpgAln.exe PID: 6176, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: nzLoHpgAln.exe PID: 7312, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: nzLoHpgAln.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wZWwzQVEakJvEU.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, lF62eOBaEgEorXmRSl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, lF62eOBaEgEorXmRSl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.SetAccessControl
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.AddAccessRule
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, lF62eOBaEgEorXmRSl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.SetAccessControl
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.AddAccessRule
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, lF62eOBaEgEorXmRSl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.SetAccessControl
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.AddAccessRule
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, lF62eOBaEgEorXmRSl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.SetAccessControl
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.AddAccessRule
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.SetAccessControl
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/103@1/1

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

File created: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_03
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Mutant created: \Sessions\1\BaseNamedObjects\eoQOydmdtHej
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

File created: C:\Users\user\AppData\Local\Temp\tmpC18A.tmp

Jump to behavior

Source: nzLoHpgAln.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: nzLoHpgAln.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp446E.tmp.14.dr, tmp4490.tmp.14.dr, tmpAAF.tmp.14.dr, tmp446F.tmp.14.dr, tmpE705.tmp.8.dr, tmp447F.tmp.14.dr, tmpE728.tmp.8.dr, tmpE6F4.tmp.8.dr, tmpE717.tmp.8.dr, tmpE716.tmp.8.dr, tmpA9F.tmp.14.dr, tmpE704.tmp.8.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: nzLoHpgAln.exe	ReversingLabs: Detection: 63%
Source: nzLoHpgAln.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

File read: C:\Users\user\Desktop\nzLoHpgAln.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\nzLoHpgAln.exe "C:\Users\user\Desktop\nzLoHpgAln.exe"
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Users\user\Desktop\nzLoHpgAln.exe "C:\Users\user\Desktop\nzLoHpgAln.exe"
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpE7EE.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process created: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Users\user\Desktop\nzLoHpgAln.exe "C:\Users\user\Desktop\nzLoHpgAln.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpE7EE.tmp"
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process created: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: windowscodecs.dll

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: nzLoHpgAln.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: nzLoHpgAln.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Unpacked PE file: 0.2.nzLoHpgAln.exe.40000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Unpacked PE file: 0.2.nzLoHpgAln.exe.40000.0.unpack

.NET source code contains potential unpacker

Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, EDIZWacnsQLqU7bbhP.cs	.Net Code: cLg7QZLUNs System.Reflection.Assembly.Load(byte[])
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, EDIZWacnsQLqU7bbhP.cs	.Net Code: cLg7QZLUNs System.Reflection.Assembly.Load(byte[])
Source: 0.2.nzLoHpgAln.exe.3c71a18.1.raw.unpack, MainForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.nzLoHpgAln.exe.93c0000.5.raw.unpack, MainForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, EDIZWacnsQLqU7bbhP.cs	.Net Code: cLg7QZLUNs System.Reflection.Assembly.Load(byte[])
Source: 10.2.wZWwzQVEakJvEU.exe.44b3ad8.4.raw.unpack, MainForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, EDIZWacnsQLqU7bbhP.cs	.Net Code: cLg7QZLUNs System.Reflection.Assembly.Load(byte[])
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, EDIZWacnsQLqU7bbhP.cs	.Net Code: cLg7QZLUNs System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00042182 push FFFFFFB1h; retf	0_2_00042184
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_000420F3 push ss; ret	0_2_000420F9
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_0004227A push ecx; ret	0_2_0004227B
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008122C7 push edi; retf	0_2_008122CD
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09C3C5D0 push es; retn 0009h	0_2_09C3C5D2
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09C3C5A9 push es; retn 0009h	0_2_09C3C5AA
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09C3DBE9 push ss; retn 0009h	0_2_09C3DBEA
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09C3DD38 push edi; retn 0009h	0_2_09C3DD3A
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09C3D239 push cs; retn 0009h	0_2_09C3D23A
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F4CCA0 push 09F4CFEFh; iretd	0_2_09F4CFE3
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F40979 pushfd ; retn 0009h	0_2_09F4097A
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F404E8 push esp; ret	0_2_09F404E9
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_06712DB8 pushad ; retf 5505h	8_2_06712EB6
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB22C7 push edi; retf	10_2_00FB22CD
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_0A0404E8 push esp; ret	10_2_0A0404E9
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_06A9E5C0 push es; ret	14_2_06A9E5D0

Source: nzLoHpgAln.exe	Static PE information: section name: .text entropy: 7.677345826852639
Source: wZWwzQVEakJvEU.exe.0.dr	Static PE information: section name: .text entropy: 7.677345826852639

Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, Vs82vkHUR5m9RCYE2bP.cs	High entropy of concatenated method names: 'ToString', 'KfX6BMTyh7', 'xB76Kn2Wpo', 'zuV6Ze8RcL', 'FZw63IgMg0', 'l4a6FPHtQ6', 'MAG6Td04QD', 'kYv6t6R6yY', 'GjZfER1IO7Ml5BMDRtH', 'GL7pWy1Z0kwjW3OdYep'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, lF62eOBaEgEorXmRSl.cs	High entropy of concatenated method names: 'iwRDfGIkgE', 'QjYDh8EXqc', 'SsPDWoPN32', 'GmADMksnIc', 'Is6D1jKVbG', 'I5kDwCg0R9', 'YkMDxlMml4', 'cqUDNP7QiU', 'aEPD4EPsAy', 'FH7DL0Asye'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, Dqnxs234kMblUpWIWe.cs	High entropy of concatenated method names: 'THiGewLSWx', 'xvbGDWOODP', 'cWbGuULGWK', 'naCGy2oX6x', 'd7vGcBa6cO', 'eyou1dQ4pM', 'kbnuwftVYT', 'PYuuxbMh1B', 'XjeuN4ZoT4', 'k4Cu4iBqPt'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, R9ihZtK1dSap2DSgRG.cs	High entropy of concatenated method names: 'xH1qEPtVAl', 'gMtqbbJkpd', 'JlpqB25eCM', 'NoiqKaCu0X', 'DCPqiDF8Xt', 'BbBqI1vGgK', 'nZwqYiIpom', 'VETqSJfEol', 'sLqqseFf6k', 'zjNqmjeRt4'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, rdDn9AZRble9iQ9Uqj.cs	High entropy of concatenated method names: 'EequOEL5lC', 'NbIu51eamH', 'qyuqTnnIpG', 'M2Qqt1KgVv', 'Op1qrcmPaR', 'JuFqabP01V', 'QoQqV1PoE2', 'grQq8864NF', 'Np6qjdLkrD', 'BpCqnYSTOk'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, hKo5edfWLak4Bbqtne.cs	High entropy of concatenated method names: 'uDMin9kJ4j', 'TwiipFCVU9', 'yBAiflrCy8', 'jJHihWOmfb', 'WaDiFLfcme', 'O5kiTrdenj', 'nSYitbxRXp', 'dd4irfONIq', 'AwmiaheyoW', 'QXwiVnSATc'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, WTdydw7kwQos9Ag2hA.cs	High entropy of concatenated method names: 'XnJHyF62eO', 'KEgHcEorXm', 'I1dHXSap2D', 'rgRHdGsdDn', 'z9UHiqjBqn', 'Vs2HI4kMbl', 'FBdE0xi06QEIGbChRo', 'zIcGsgCEAFGoBOwjJW', 'OcsHH4wRHq', 'm1eHlQwcuZ'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, c2189dMeFcQwlCkDNo.cs	High entropy of concatenated method names: 'tycYXgX4IL', 'xcAYdeKiZv', 'ToString', 'vmMYCTO6V4', 'DoYYDU59PA', 'wuwYqhlbkT', 'MRyYulAB1T', 'NnnYGlmcnN', 'pl7YyLS7WE', 'EolYctOKcZ'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, JbGBKdj6ZIOo4f2BPQ.cs	High entropy of concatenated method names: 'NpFygJGQoy', 'ok3yk3YCOq', 'dHtyQNfrGo', 'B11yEmuFYr', 'i7XyOZetDI', 'MrRybkJ58q', 'o9Ay50huCS', 'W4XyBGlK6A', 'HYHyKiPwKX', 'KF4yZdU6lb'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, EDIZWacnsQLqU7bbhP.cs	High entropy of concatenated method names: 'dIWleBJaUb', 'fuJlCU5pPg', 'PT9lDBVKdx', 'PSalq1OK3O', 'dyXluwojvM', 'IpBlG2Bi8w', 'OsvlyjvwpG', 'FTClcGgLKf', 'qbJlJr3LlC', 'nsylXUVP8L'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, DgkowV47Dh3Fxfd92L.cs	High entropy of concatenated method names: 'hfps3nV9Au', 'U26sFkKC7K', 'BnDsThiqJu', 'UShstLseQu', 'QebsrlHGXx', 'QeTsayQhIQ', 'pPZsVs0YpI', 'nEss8RKrgy', 'SDqsjhSJZ0', 'gWEsnyEyGT'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, fKewcCzIDSttxbv6Cl.cs	High entropy of concatenated method names: 'GZomb8TeAX', 'rcQmBfQBPY', 'RDSmKKcrYt', 'r4gm3oGsfC', 'a3hmFiCyox', 'bkvmt3aMEB', 'jx3mrdiQhQ', 'Skom2cVmJ4', 'nR7mg88OKt', 't5DmkSyAqW'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, T2nxZyWI6ZVQTBtP96.cs	High entropy of concatenated method names: 'ToString', 'FHbIv7sdct', 'e7OIFs3HOA', 'r5IIThqPl3', 'i2RItKsG4k', 'QOjIr5yarH', 'FvNIaqr3Xo', 'Ud9IVYa8YE', 'DXEI8UseS8', 'LPuIjuyE7K'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, ssoHYO9CZv0DV6pGUv.cs	High entropy of concatenated method names: 'xGk0BfZgTU', 'gZj0KItla1', 'aUh03ytvB5', 'BNf0FbQD43', 'Dts0tFSCEY', 'Qow0rsiLsP', 'GCF0V1nuab', 'eFg08jmurs', 'qfS0nPubql', 'Ole0v8nioF'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, fJ02oKDU7jd18ANgNc.cs	High entropy of concatenated method names: 'Dispose', 'EHTH4bcHbO', 'bxFUF2orfZ', 'hdFJYAgReD', 'TrNHLv6dJo', 'dukHz147Cw', 'ProcessDialogKey', 'YZBUAgkowV', 'dDhUH3Fxfd', 'Q2LUUNnxfd'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, XnxfdvL1wIjOTvPVmK.cs	High entropy of concatenated method names: 'b1lmqgUa6q', 'dtAmu26Sir', 'D3fmGtYCAc', 'wJKmyNZJqJ', 'zTKmsBJyyJ', 'hdYmcQ0id4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, HFhy6EHAGyTn8yOrkLt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pK6mvVucic', 'JtrmpeQLM3', 'Sj9m9uh2y0', 'fIXmfoD3VK', 't3imh4jJWk', 'oeFmWXtOZX', 'bvAmMJDc11'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, DKJ6PHUd9naUoeJCna.cs	High entropy of concatenated method names: 'swwQFFQbu', 'io5EBuFGC', 'sFfb8pyx1', 'JUl5kqrHa', 'uJXKOHA5M', 'hS3ZZ14sQ', 'k18oVIv0U7RiOT8Orh', 'k5o1tYNsT2YnI8ljjy', 'PvkSr46vN', 'hchmanBLj'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, tViMi8xroKHTbcHbOM.cs	High entropy of concatenated method names: 'aaEsia69pk', 'zpNsYrnPZM', 'd2Hss3R6Jb', 't53s6HZgj2', 'A1rsRGpI5M', 'UCgs2aWcZJ', 'Dispose', 'pIoSCYEost', 'QAjSD4uYAe', 'fn3SqRpg9H'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, k27kfyHHonG7KUUcJBK.cs	High entropy of concatenated method names: 'z0WmLhK6XD', 'SdDmzeA4lF', 'tIn6ABldAN', 'RbZ6HWVHCS', 'Hjm6Ub5XDP', 'jKI6lp5iCZ', 'BJe67OKeqo', 'Ds46ejlZDk', 'NgQ6CpOQh7', 'Dcm6DoFoI7'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, bXPpnuV1cYWsbLvy9E.cs	High entropy of concatenated method names: 'VyuyCViDFQ', 'UgnyquY8I5', 'fT2yGZruLQ', 'zq9GLL2n9k', 'kh4GzwBHBD', 'l9QyAIhQdQ', 'hxvyHf4xuM', 'uKRyUrXavS', 't1qylB4iI0', 'hJ7y7B4cdM'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, BZ0TvmwFdgLu3v1uns.cs	High entropy of concatenated method names: 'xU6YNrTpfQ', 'MHqYLww1DE', 'IRFSAAuVEM', 'UfiSHJpDRa', 'co0YvMY0kI', 'XS9YpvAFDs', 'tvyY9e2WWn', 'ooMYfhOr4q', 'rKvYhVrSHl', 'kVqYWoZpFC'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, Vs82vkHUR5m9RCYE2bP.cs	High entropy of concatenated method names: 'ToString', 'KfX6BMTyh7', 'xB76Kn2Wpo', 'zuV6Ze8RcL', 'FZw63IgMg0', 'l4a6FPHtQ6', 'MAG6Td04QD', 'kYv6t6R6yY', 'GjZfER1IO7Ml5BMDRtH', 'GL7pWy1Z0kwjW3OdYep'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, lF62eOBaEgEorXmRSl.cs	High entropy of concatenated method names: 'iwRDfGIkgE', 'QjYDh8EXqc', 'SsPDWoPN32', 'GmADMksnIc', 'Is6D1jKVbG', 'I5kDwCg0R9', 'YkMDxlMml4', 'cqUDNP7QiU', 'aEPD4EPsAy', 'FH7DL0Asye'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, Dqnxs234kMblUpWIWe.cs	High entropy of concatenated method names: 'THiGewLSWx', 'xvbGDWOODP', 'cWbGuULGWK', 'naCGy2oX6x', 'd7vGcBa6cO', 'eyou1dQ4pM', 'kbnuwftVYT', 'PYuuxbMh1B', 'XjeuN4ZoT4', 'k4Cu4iBqPt'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, R9ihZtK1dSap2DSgRG.cs	High entropy of concatenated method names: 'xH1qEPtVAl', 'gMtqbbJkpd', 'JlpqB25eCM', 'NoiqKaCu0X', 'DCPqiDF8Xt', 'BbBqI1vGgK', 'nZwqYiIpom', 'VETqSJfEol', 'sLqqseFf6k', 'zjNqmjeRt4'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, rdDn9AZRble9iQ9Uqj.cs	High entropy of concatenated method names: 'EequOEL5lC', 'NbIu51eamH', 'qyuqTnnIpG', 'M2Qqt1KgVv', 'Op1qrcmPaR', 'JuFqabP01V', 'QoQqV1PoE2', 'grQq8864NF', 'Np6qjdLkrD', 'BpCqnYSTOk'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, hKo5edfWLak4Bbqtne.cs	High entropy of concatenated method names: 'uDMin9kJ4j', 'TwiipFCVU9', 'yBAiflrCy8', 'jJHihWOmfb', 'WaDiFLfcme', 'O5kiTrdenj', 'nSYitbxRXp', 'dd4irfONIq', 'AwmiaheyoW', 'QXwiVnSATc'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, WTdydw7kwQos9Ag2hA.cs	High entropy of concatenated method names: 'XnJHyF62eO', 'KEgHcEorXm', 'I1dHXSap2D', 'rgRHdGsdDn', 'z9UHiqjBqn', 'Vs2HI4kMbl', 'FBdE0xi06QEIGbChRo', 'zIcGsgCEAFGoBOwjJW', 'OcsHH4wRHq', 'm1eHlQwcuZ'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, c2189dMeFcQwlCkDNo.cs	High entropy of concatenated method names: 'tycYXgX4IL', 'xcAYdeKiZv', 'ToString', 'vmMYCTO6V4', 'DoYYDU59PA', 'wuwYqhlbkT', 'MRyYulAB1T', 'NnnYGlmcnN', 'pl7YyLS7WE', 'EolYctOKcZ'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, JbGBKdj6ZIOo4f2BPQ.cs	High entropy of concatenated method names: 'NpFygJGQoy', 'ok3yk3YCOq', 'dHtyQNfrGo', 'B11yEmuFYr', 'i7XyOZetDI', 'MrRybkJ58q', 'o9Ay50huCS', 'W4XyBGlK6A', 'HYHyKiPwKX', 'KF4yZdU6lb'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, EDIZWacnsQLqU7bbhP.cs	High entropy of concatenated method names: 'dIWleBJaUb', 'fuJlCU5pPg', 'PT9lDBVKdx', 'PSalq1OK3O', 'dyXluwojvM', 'IpBlG2Bi8w', 'OsvlyjvwpG', 'FTClcGgLKf', 'qbJlJr3LlC', 'nsylXUVP8L'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, DgkowV47Dh3Fxfd92L.cs	High entropy of concatenated method names: 'hfps3nV9Au', 'U26sFkKC7K', 'BnDsThiqJu', 'UShstLseQu', 'QebsrlHGXx', 'QeTsayQhIQ', 'pPZsVs0YpI', 'nEss8RKrgy', 'SDqsjhSJZ0', 'gWEsnyEyGT'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, fKewcCzIDSttxbv6Cl.cs	High entropy of concatenated method names: 'GZomb8TeAX', 'rcQmBfQBPY', 'RDSmKKcrYt', 'r4gm3oGsfC', 'a3hmFiCyox', 'bkvmt3aMEB', 'jx3mrdiQhQ', 'Skom2cVmJ4', 'nR7mg88OKt', 't5DmkSyAqW'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, T2nxZyWI6ZVQTBtP96.cs	High entropy of concatenated method names: 'ToString', 'FHbIv7sdct', 'e7OIFs3HOA', 'r5IIThqPl3', 'i2RItKsG4k', 'QOjIr5yarH', 'FvNIaqr3Xo', 'Ud9IVYa8YE', 'DXEI8UseS8', 'LPuIjuyE7K'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, ssoHYO9CZv0DV6pGUv.cs	High entropy of concatenated method names: 'xGk0BfZgTU', 'gZj0KItla1', 'aUh03ytvB5', 'BNf0FbQD43', 'Dts0tFSCEY', 'Qow0rsiLsP', 'GCF0V1nuab', 'eFg08jmurs', 'qfS0nPubql', 'Ole0v8nioF'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, fJ02oKDU7jd18ANgNc.cs	High entropy of concatenated method names: 'Dispose', 'EHTH4bcHbO', 'bxFUF2orfZ', 'hdFJYAgReD', 'TrNHLv6dJo', 'dukHz147Cw', 'ProcessDialogKey', 'YZBUAgkowV', 'dDhUH3Fxfd', 'Q2LUUNnxfd'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, XnxfdvL1wIjOTvPVmK.cs	High entropy of concatenated method names: 'b1lmqgUa6q', 'dtAmu26Sir', 'D3fmGtYCAc', 'wJKmyNZJqJ', 'zTKmsBJyyJ', 'hdYmcQ0id4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, HFhy6EHAGyTn8yOrkLt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pK6mvVucic', 'JtrmpeQLM3', 'Sj9m9uh2y0', 'fIXmfoD3VK', 't3imh4jJWk', 'oeFmWXtOZX', 'bvAmMJDc11'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, DKJ6PHUd9naUoeJCna.cs	High entropy of concatenated method names: 'swwQFFQbu', 'io5EBuFGC', 'sFfb8pyx1', 'JUl5kqrHa', 'uJXKOHA5M', 'hS3ZZ14sQ', 'k18oVIv0U7RiOT8Orh', 'k5o1tYNsT2YnI8ljjy', 'PvkSr46vN', 'hchmanBLj'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, tViMi8xroKHTbcHbOM.cs	High entropy of concatenated method names: 'aaEsia69pk', 'zpNsYrnPZM', 'd2Hss3R6Jb', 't53s6HZgj2', 'A1rsRGpI5M', 'UCgs2aWcZJ', 'Dispose', 'pIoSCYEost', 'QAjSD4uYAe', 'fn3SqRpg9H'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, k27kfyHHonG7KUUcJBK.cs	High entropy of concatenated method names: 'z0WmLhK6XD', 'SdDmzeA4lF', 'tIn6ABldAN', 'RbZ6HWVHCS', 'Hjm6Ub5XDP', 'jKI6lp5iCZ', 'BJe67OKeqo', 'Ds46ejlZDk', 'NgQ6CpOQh7', 'Dcm6DoFoI7'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, bXPpnuV1cYWsbLvy9E.cs	High entropy of concatenated method names: 'VyuyCViDFQ', 'UgnyquY8I5', 'fT2yGZruLQ', 'zq9GLL2n9k', 'kh4GzwBHBD', 'l9QyAIhQdQ', 'hxvyHf4xuM', 'uKRyUrXavS', 't1qylB4iI0', 'hJ7y7B4cdM'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, BZ0TvmwFdgLu3v1uns.cs	High entropy of concatenated method names: 'xU6YNrTpfQ', 'MHqYLww1DE', 'IRFSAAuVEM', 'UfiSHJpDRa', 'co0YvMY0kI', 'XS9YpvAFDs', 'tvyY9e2WWn', 'ooMYfhOr4q', 'rKvYhVrSHl', 'kVqYWoZpFC'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, Vs82vkHUR5m9RCYE2bP.cs	High entropy of concatenated method names: 'ToString', 'KfX6BMTyh7', 'xB76Kn2Wpo', 'zuV6Ze8RcL', 'FZw63IgMg0', 'l4a6FPHtQ6', 'MAG6Td04QD', 'kYv6t6R6yY', 'GjZfER1IO7Ml5BMDRtH', 'GL7pWy1Z0kwjW3OdYep'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, lF62eOBaEgEorXmRSl.cs	High entropy of concatenated method names: 'iwRDfGIkgE', 'QjYDh8EXqc', 'SsPDWoPN32', 'GmADMksnIc', 'Is6D1jKVbG', 'I5kDwCg0R9', 'YkMDxlMml4', 'cqUDNP7QiU', 'aEPD4EPsAy', 'FH7DL0Asye'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, Dqnxs234kMblUpWIWe.cs	High entropy of concatenated method names: 'THiGewLSWx', 'xvbGDWOODP', 'cWbGuULGWK', 'naCGy2oX6x', 'd7vGcBa6cO', 'eyou1dQ4pM', 'kbnuwftVYT', 'PYuuxbMh1B', 'XjeuN4ZoT4', 'k4Cu4iBqPt'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, R9ihZtK1dSap2DSgRG.cs	High entropy of concatenated method names: 'xH1qEPtVAl', 'gMtqbbJkpd', 'JlpqB25eCM', 'NoiqKaCu0X', 'DCPqiDF8Xt', 'BbBqI1vGgK', 'nZwqYiIpom', 'VETqSJfEol', 'sLqqseFf6k', 'zjNqmjeRt4'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, rdDn9AZRble9iQ9Uqj.cs	High entropy of concatenated method names: 'EequOEL5lC', 'NbIu51eamH', 'qyuqTnnIpG', 'M2Qqt1KgVv', 'Op1qrcmPaR', 'JuFqabP01V', 'QoQqV1PoE2', 'grQq8864NF', 'Np6qjdLkrD', 'BpCqnYSTOk'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, hKo5edfWLak4Bbqtne.cs	High entropy of concatenated method names: 'uDMin9kJ4j', 'TwiipFCVU9', 'yBAiflrCy8', 'jJHihWOmfb', 'WaDiFLfcme', 'O5kiTrdenj', 'nSYitbxRXp', 'dd4irfONIq', 'AwmiaheyoW', 'QXwiVnSATc'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, WTdydw7kwQos9Ag2hA.cs	High entropy of concatenated method names: 'XnJHyF62eO', 'KEgHcEorXm', 'I1dHXSap2D', 'rgRHdGsdDn', 'z9UHiqjBqn', 'Vs2HI4kMbl', 'FBdE0xi06QEIGbChRo', 'zIcGsgCEAFGoBOwjJW', 'OcsHH4wRHq', 'm1eHlQwcuZ'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, c2189dMeFcQwlCkDNo.cs	High entropy of concatenated method names: 'tycYXgX4IL', 'xcAYdeKiZv', 'ToString', 'vmMYCTO6V4', 'DoYYDU59PA', 'wuwYqhlbkT', 'MRyYulAB1T', 'NnnYGlmcnN', 'pl7YyLS7WE', 'EolYctOKcZ'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, JbGBKdj6ZIOo4f2BPQ.cs	High entropy of concatenated method names: 'NpFygJGQoy', 'ok3yk3YCOq', 'dHtyQNfrGo', 'B11yEmuFYr', 'i7XyOZetDI', 'MrRybkJ58q', 'o9Ay50huCS', 'W4XyBGlK6A', 'HYHyKiPwKX', 'KF4yZdU6lb'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, EDIZWacnsQLqU7bbhP.cs	High entropy of concatenated method names: 'dIWleBJaUb', 'fuJlCU5pPg', 'PT9lDBVKdx', 'PSalq1OK3O', 'dyXluwojvM', 'IpBlG2Bi8w', 'OsvlyjvwpG', 'FTClcGgLKf', 'qbJlJr3LlC', 'nsylXUVP8L'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, DgkowV47Dh3Fxfd92L.cs	High entropy of concatenated method names: 'hfps3nV9Au', 'U26sFkKC7K', 'BnDsThiqJu', 'UShstLseQu', 'QebsrlHGXx', 'QeTsayQhIQ', 'pPZsVs0YpI', 'nEss8RKrgy', 'SDqsjhSJZ0', 'gWEsnyEyGT'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, fKewcCzIDSttxbv6Cl.cs	High entropy of concatenated method names: 'GZomb8TeAX', 'rcQmBfQBPY', 'RDSmKKcrYt', 'r4gm3oGsfC', 'a3hmFiCyox', 'bkvmt3aMEB', 'jx3mrdiQhQ', 'Skom2cVmJ4', 'nR7mg88OKt', 't5DmkSyAqW'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, T2nxZyWI6ZVQTBtP96.cs	High entropy of concatenated method names: 'ToString', 'FHbIv7sdct', 'e7OIFs3HOA', 'r5IIThqPl3', 'i2RItKsG4k', 'QOjIr5yarH', 'FvNIaqr3Xo', 'Ud9IVYa8YE', 'DXEI8UseS8', 'LPuIjuyE7K'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, ssoHYO9CZv0DV6pGUv.cs	High entropy of concatenated method names: 'xGk0BfZgTU', 'gZj0KItla1', 'aUh03ytvB5', 'BNf0FbQD43', 'Dts0tFSCEY', 'Qow0rsiLsP', 'GCF0V1nuab', 'eFg08jmurs', 'qfS0nPubql', 'Ole0v8nioF'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, fJ02oKDU7jd18ANgNc.cs	High entropy of concatenated method names: 'Dispose', 'EHTH4bcHbO', 'bxFUF2orfZ', 'hdFJYAgReD', 'TrNHLv6dJo', 'dukHz147Cw', 'ProcessDialogKey', 'YZBUAgkowV', 'dDhUH3Fxfd', 'Q2LUUNnxfd'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, XnxfdvL1wIjOTvPVmK.cs	High entropy of concatenated method names: 'b1lmqgUa6q', 'dtAmu26Sir', 'D3fmGtYCAc', 'wJKmyNZJqJ', 'zTKmsBJyyJ', 'hdYmcQ0id4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, HFhy6EHAGyTn8yOrkLt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pK6mvVucic', 'JtrmpeQLM3', 'Sj9m9uh2y0', 'fIXmfoD3VK', 't3imh4jJWk', 'oeFmWXtOZX', 'bvAmMJDc11'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, DKJ6PHUd9naUoeJCna.cs	High entropy of concatenated method names: 'swwQFFQbu', 'io5EBuFGC', 'sFfb8pyx1', 'JUl5kqrHa', 'uJXKOHA5M', 'hS3ZZ14sQ', 'k18oVIv0U7RiOT8Orh', 'k5o1tYNsT2YnI8ljjy', 'PvkSr46vN', 'hchmanBLj'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, tViMi8xroKHTbcHbOM.cs	High entropy of concatenated method names: 'aaEsia69pk', 'zpNsYrnPZM', 'd2Hss3R6Jb', 't53s6HZgj2', 'A1rsRGpI5M', 'UCgs2aWcZJ', 'Dispose', 'pIoSCYEost', 'QAjSD4uYAe', 'fn3SqRpg9H'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, k27kfyHHonG7KUUcJBK.cs	High entropy of concatenated method names: 'z0WmLhK6XD', 'SdDmzeA4lF', 'tIn6ABldAN', 'RbZ6HWVHCS', 'Hjm6Ub5XDP', 'jKI6lp5iCZ', 'BJe67OKeqo', 'Ds46ejlZDk', 'NgQ6CpOQh7', 'Dcm6DoFoI7'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, bXPpnuV1cYWsbLvy9E.cs	High entropy of concatenated method names: 'VyuyCViDFQ', 'UgnyquY8I5', 'fT2yGZruLQ', 'zq9GLL2n9k', 'kh4GzwBHBD', 'l9QyAIhQdQ', 'hxvyHf4xuM', 'uKRyUrXavS', 't1qylB4iI0', 'hJ7y7B4cdM'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, BZ0TvmwFdgLu3v1uns.cs	High entropy of concatenated method names: 'xU6YNrTpfQ', 'MHqYLww1DE', 'IRFSAAuVEM', 'UfiSHJpDRa', 'co0YvMY0kI', 'XS9YpvAFDs', 'tvyY9e2WWn', 'ooMYfhOr4q', 'rKvYhVrSHl', 'kVqYWoZpFC'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, Vs82vkHUR5m9RCYE2bP.cs	High entropy of concatenated method names: 'ToString', 'KfX6BMTyh7', 'xB76Kn2Wpo', 'zuV6Ze8RcL', 'FZw63IgMg0', 'l4a6FPHtQ6', 'MAG6Td04QD', 'kYv6t6R6yY', 'GjZfER1IO7Ml5BMDRtH', 'GL7pWy1Z0kwjW3OdYep'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, lF62eOBaEgEorXmRSl.cs	High entropy of concatenated method names: 'iwRDfGIkgE', 'QjYDh8EXqc', 'SsPDWoPN32', 'GmADMksnIc', 'Is6D1jKVbG', 'I5kDwCg0R9', 'YkMDxlMml4', 'cqUDNP7QiU', 'aEPD4EPsAy', 'FH7DL0Asye'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, Dqnxs234kMblUpWIWe.cs	High entropy of concatenated method names: 'THiGewLSWx', 'xvbGDWOODP', 'cWbGuULGWK', 'naCGy2oX6x', 'd7vGcBa6cO', 'eyou1dQ4pM', 'kbnuwftVYT', 'PYuuxbMh1B', 'XjeuN4ZoT4', 'k4Cu4iBqPt'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, R9ihZtK1dSap2DSgRG.cs	High entropy of concatenated method names: 'xH1qEPtVAl', 'gMtqbbJkpd', 'JlpqB25eCM', 'NoiqKaCu0X', 'DCPqiDF8Xt', 'BbBqI1vGgK', 'nZwqYiIpom', 'VETqSJfEol', 'sLqqseFf6k', 'zjNqmjeRt4'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, rdDn9AZRble9iQ9Uqj.cs	High entropy of concatenated method names: 'EequOEL5lC', 'NbIu51eamH', 'qyuqTnnIpG', 'M2Qqt1KgVv', 'Op1qrcmPaR', 'JuFqabP01V', 'QoQqV1PoE2', 'grQq8864NF', 'Np6qjdLkrD', 'BpCqnYSTOk'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, hKo5edfWLak4Bbqtne.cs	High entropy of concatenated method names: 'uDMin9kJ4j', 'TwiipFCVU9', 'yBAiflrCy8', 'jJHihWOmfb', 'WaDiFLfcme', 'O5kiTrdenj', 'nSYitbxRXp', 'dd4irfONIq', 'AwmiaheyoW', 'QXwiVnSATc'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, WTdydw7kwQos9Ag2hA.cs	High entropy of concatenated method names: 'XnJHyF62eO', 'KEgHcEorXm', 'I1dHXSap2D', 'rgRHdGsdDn', 'z9UHiqjBqn', 'Vs2HI4kMbl', 'FBdE0xi06QEIGbChRo', 'zIcGsgCEAFGoBOwjJW', 'OcsHH4wRHq', 'm1eHlQwcuZ'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, c2189dMeFcQwlCkDNo.cs	High entropy of concatenated method names: 'tycYXgX4IL', 'xcAYdeKiZv', 'ToString', 'vmMYCTO6V4', 'DoYYDU59PA', 'wuwYqhlbkT', 'MRyYulAB1T', 'NnnYGlmcnN', 'pl7YyLS7WE', 'EolYctOKcZ'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, JbGBKdj6ZIOo4f2BPQ.cs	High entropy of concatenated method names: 'NpFygJGQoy', 'ok3yk3YCOq', 'dHtyQNfrGo', 'B11yEmuFYr', 'i7XyOZetDI', 'MrRybkJ58q', 'o9Ay50huCS', 'W4XyBGlK6A', 'HYHyKiPwKX', 'KF4yZdU6lb'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, EDIZWacnsQLqU7bbhP.cs	High entropy of concatenated method names: 'dIWleBJaUb', 'fuJlCU5pPg', 'PT9lDBVKdx', 'PSalq1OK3O', 'dyXluwojvM', 'IpBlG2Bi8w', 'OsvlyjvwpG', 'FTClcGgLKf', 'qbJlJr3LlC', 'nsylXUVP8L'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, DgkowV47Dh3Fxfd92L.cs	High entropy of concatenated method names: 'hfps3nV9Au', 'U26sFkKC7K', 'BnDsThiqJu', 'UShstLseQu', 'QebsrlHGXx', 'QeTsayQhIQ', 'pPZsVs0YpI', 'nEss8RKrgy', 'SDqsjhSJZ0', 'gWEsnyEyGT'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, fKewcCzIDSttxbv6Cl.cs	High entropy of concatenated method names: 'GZomb8TeAX', 'rcQmBfQBPY', 'RDSmKKcrYt', 'r4gm3oGsfC', 'a3hmFiCyox', 'bkvmt3aMEB', 'jx3mrdiQhQ', 'Skom2cVmJ4', 'nR7mg88OKt', 't5DmkSyAqW'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, T2nxZyWI6ZVQTBtP96.cs	High entropy of concatenated method names: 'ToString', 'FHbIv7sdct', 'e7OIFs3HOA', 'r5IIThqPl3', 'i2RItKsG4k', 'QOjIr5yarH', 'FvNIaqr3Xo', 'Ud9IVYa8YE', 'DXEI8UseS8', 'LPuIjuyE7K'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, ssoHYO9CZv0DV6pGUv.cs	High entropy of concatenated method names: 'xGk0BfZgTU', 'gZj0KItla1', 'aUh03ytvB5', 'BNf0FbQD43', 'Dts0tFSCEY', 'Qow0rsiLsP', 'GCF0V1nuab', 'eFg08jmurs', 'qfS0nPubql', 'Ole0v8nioF'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, fJ02oKDU7jd18ANgNc.cs	High entropy of concatenated method names: 'Dispose', 'EHTH4bcHbO', 'bxFUF2orfZ', 'hdFJYAgReD', 'TrNHLv6dJo', 'dukHz147Cw', 'ProcessDialogKey', 'YZBUAgkowV', 'dDhUH3Fxfd', 'Q2LUUNnxfd'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, XnxfdvL1wIjOTvPVmK.cs	High entropy of concatenated method names: 'b1lmqgUa6q', 'dtAmu26Sir', 'D3fmGtYCAc', 'wJKmyNZJqJ', 'zTKmsBJyyJ', 'hdYmcQ0id4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, HFhy6EHAGyTn8yOrkLt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pK6mvVucic', 'JtrmpeQLM3', 'Sj9m9uh2y0', 'fIXmfoD3VK', 't3imh4jJWk', 'oeFmWXtOZX', 'bvAmMJDc11'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, DKJ6PHUd9naUoeJCna.cs	High entropy of concatenated method names: 'swwQFFQbu', 'io5EBuFGC', 'sFfb8pyx1', 'JUl5kqrHa', 'uJXKOHA5M', 'hS3ZZ14sQ', 'k18oVIv0U7RiOT8Orh', 'k5o1tYNsT2YnI8ljjy', 'PvkSr46vN', 'hchmanBLj'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, tViMi8xroKHTbcHbOM.cs	High entropy of concatenated method names: 'aaEsia69pk', 'zpNsYrnPZM', 'd2Hss3R6Jb', 't53s6HZgj2', 'A1rsRGpI5M', 'UCgs2aWcZJ', 'Dispose', 'pIoSCYEost', 'QAjSD4uYAe', 'fn3SqRpg9H'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, k27kfyHHonG7KUUcJBK.cs	High entropy of concatenated method names: 'z0WmLhK6XD', 'SdDmzeA4lF', 'tIn6ABldAN', 'RbZ6HWVHCS', 'Hjm6Ub5XDP', 'jKI6lp5iCZ', 'BJe67OKeqo', 'Ds46ejlZDk', 'NgQ6CpOQh7', 'Dcm6DoFoI7'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, bXPpnuV1cYWsbLvy9E.cs	High entropy of concatenated method names: 'VyuyCViDFQ', 'UgnyquY8I5', 'fT2yGZruLQ', 'zq9GLL2n9k', 'kh4GzwBHBD', 'l9QyAIhQdQ', 'hxvyHf4xuM', 'uKRyUrXavS', 't1qylB4iI0', 'hJ7y7B4cdM'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, BZ0TvmwFdgLu3v1uns.cs	High entropy of concatenated method names: 'xU6YNrTpfQ', 'MHqYLww1DE', 'IRFSAAuVEM', 'UfiSHJpDRa', 'co0YvMY0kI', 'XS9YpvAFDs', 'tvyY9e2WWn', 'ooMYfhOr4q', 'rKvYhVrSHl', 'kVqYWoZpFC'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, Vs82vkHUR5m9RCYE2bP.cs	High entropy of concatenated method names: 'ToString', 'KfX6BMTyh7', 'xB76Kn2Wpo', 'zuV6Ze8RcL', 'FZw63IgMg0', 'l4a6FPHtQ6', 'MAG6Td04QD', 'kYv6t6R6yY', 'GjZfER1IO7Ml5BMDRtH', 'GL7pWy1Z0kwjW3OdYep'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, lF62eOBaEgEorXmRSl.cs	High entropy of concatenated method names: 'iwRDfGIkgE', 'QjYDh8EXqc', 'SsPDWoPN32', 'GmADMksnIc', 'Is6D1jKVbG', 'I5kDwCg0R9', 'YkMDxlMml4', 'cqUDNP7QiU', 'aEPD4EPsAy', 'FH7DL0Asye'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, Dqnxs234kMblUpWIWe.cs	High entropy of concatenated method names: 'THiGewLSWx', 'xvbGDWOODP', 'cWbGuULGWK', 'naCGy2oX6x', 'd7vGcBa6cO', 'eyou1dQ4pM', 'kbnuwftVYT', 'PYuuxbMh1B', 'XjeuN4ZoT4', 'k4Cu4iBqPt'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, R9ihZtK1dSap2DSgRG.cs	High entropy of concatenated method names: 'xH1qEPtVAl', 'gMtqbbJkpd', 'JlpqB25eCM', 'NoiqKaCu0X', 'DCPqiDF8Xt', 'BbBqI1vGgK', 'nZwqYiIpom', 'VETqSJfEol', 'sLqqseFf6k', 'zjNqmjeRt4'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, rdDn9AZRble9iQ9Uqj.cs	High entropy of concatenated method names: 'EequOEL5lC', 'NbIu51eamH', 'qyuqTnnIpG', 'M2Qqt1KgVv', 'Op1qrcmPaR', 'JuFqabP01V', 'QoQqV1PoE2', 'grQq8864NF', 'Np6qjdLkrD', 'BpCqnYSTOk'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, hKo5edfWLak4Bbqtne.cs	High entropy of concatenated method names: 'uDMin9kJ4j', 'TwiipFCVU9', 'yBAiflrCy8', 'jJHihWOmfb', 'WaDiFLfcme', 'O5kiTrdenj', 'nSYitbxRXp', 'dd4irfONIq', 'AwmiaheyoW', 'QXwiVnSATc'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, WTdydw7kwQos9Ag2hA.cs	High entropy of concatenated method names: 'XnJHyF62eO', 'KEgHcEorXm', 'I1dHXSap2D', 'rgRHdGsdDn', 'z9UHiqjBqn', 'Vs2HI4kMbl', 'FBdE0xi06QEIGbChRo', 'zIcGsgCEAFGoBOwjJW', 'OcsHH4wRHq', 'm1eHlQwcuZ'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, c2189dMeFcQwlCkDNo.cs	High entropy of concatenated method names: 'tycYXgX4IL', 'xcAYdeKiZv', 'ToString', 'vmMYCTO6V4', 'DoYYDU59PA', 'wuwYqhlbkT', 'MRyYulAB1T', 'NnnYGlmcnN', 'pl7YyLS7WE', 'EolYctOKcZ'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, JbGBKdj6ZIOo4f2BPQ.cs	High entropy of concatenated method names: 'NpFygJGQoy', 'ok3yk3YCOq', 'dHtyQNfrGo', 'B11yEmuFYr', 'i7XyOZetDI', 'MrRybkJ58q', 'o9Ay50huCS', 'W4XyBGlK6A', 'HYHyKiPwKX', 'KF4yZdU6lb'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, EDIZWacnsQLqU7bbhP.cs	High entropy of concatenated method names: 'dIWleBJaUb', 'fuJlCU5pPg', 'PT9lDBVKdx', 'PSalq1OK3O', 'dyXluwojvM', 'IpBlG2Bi8w', 'OsvlyjvwpG', 'FTClcGgLKf', 'qbJlJr3LlC', 'nsylXUVP8L'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, DgkowV47Dh3Fxfd92L.cs	High entropy of concatenated method names: 'hfps3nV9Au', 'U26sFkKC7K', 'BnDsThiqJu', 'UShstLseQu', 'QebsrlHGXx', 'QeTsayQhIQ', 'pPZsVs0YpI', 'nEss8RKrgy', 'SDqsjhSJZ0', 'gWEsnyEyGT'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, fKewcCzIDSttxbv6Cl.cs	High entropy of concatenated method names: 'GZomb8TeAX', 'rcQmBfQBPY', 'RDSmKKcrYt', 'r4gm3oGsfC', 'a3hmFiCyox', 'bkvmt3aMEB', 'jx3mrdiQhQ', 'Skom2cVmJ4', 'nR7mg88OKt', 't5DmkSyAqW'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, T2nxZyWI6ZVQTBtP96.cs	High entropy of concatenated method names: 'ToString', 'FHbIv7sdct', 'e7OIFs3HOA', 'r5IIThqPl3', 'i2RItKsG4k', 'QOjIr5yarH', 'FvNIaqr3Xo', 'Ud9IVYa8YE', 'DXEI8UseS8', 'LPuIjuyE7K'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, ssoHYO9CZv0DV6pGUv.cs	High entropy of concatenated method names: 'xGk0BfZgTU', 'gZj0KItla1', 'aUh03ytvB5', 'BNf0FbQD43', 'Dts0tFSCEY', 'Qow0rsiLsP', 'GCF0V1nuab', 'eFg08jmurs', 'qfS0nPubql', 'Ole0v8nioF'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, fJ02oKDU7jd18ANgNc.cs	High entropy of concatenated method names: 'Dispose', 'EHTH4bcHbO', 'bxFUF2orfZ', 'hdFJYAgReD', 'TrNHLv6dJo', 'dukHz147Cw', 'ProcessDialogKey', 'YZBUAgkowV', 'dDhUH3Fxfd', 'Q2LUUNnxfd'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, XnxfdvL1wIjOTvPVmK.cs	High entropy of concatenated method names: 'b1lmqgUa6q', 'dtAmu26Sir', 'D3fmGtYCAc', 'wJKmyNZJqJ', 'zTKmsBJyyJ', 'hdYmcQ0id4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, HFhy6EHAGyTn8yOrkLt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pK6mvVucic', 'JtrmpeQLM3', 'Sj9m9uh2y0', 'fIXmfoD3VK', 't3imh4jJWk', 'oeFmWXtOZX', 'bvAmMJDc11'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, DKJ6PHUd9naUoeJCna.cs	High entropy of concatenated method names: 'swwQFFQbu', 'io5EBuFGC', 'sFfb8pyx1', 'JUl5kqrHa', 'uJXKOHA5M', 'hS3ZZ14sQ', 'k18oVIv0U7RiOT8Orh', 'k5o1tYNsT2YnI8ljjy', 'PvkSr46vN', 'hchmanBLj'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, tViMi8xroKHTbcHbOM.cs	High entropy of concatenated method names: 'aaEsia69pk', 'zpNsYrnPZM', 'd2Hss3R6Jb', 't53s6HZgj2', 'A1rsRGpI5M', 'UCgs2aWcZJ', 'Dispose', 'pIoSCYEost', 'QAjSD4uYAe', 'fn3SqRpg9H'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, k27kfyHHonG7KUUcJBK.cs	High entropy of concatenated method names: 'z0WmLhK6XD', 'SdDmzeA4lF', 'tIn6ABldAN', 'RbZ6HWVHCS', 'Hjm6Ub5XDP', 'jKI6lp5iCZ', 'BJe67OKeqo', 'Ds46ejlZDk', 'NgQ6CpOQh7', 'Dcm6DoFoI7'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, bXPpnuV1cYWsbLvy9E.cs	High entropy of concatenated method names: 'VyuyCViDFQ', 'UgnyquY8I5', 'fT2yGZruLQ', 'zq9GLL2n9k', 'kh4GzwBHBD', 'l9QyAIhQdQ', 'hxvyHf4xuM', 'uKRyUrXavS', 't1qylB4iI0', 'hJ7y7B4cdM'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, BZ0TvmwFdgLu3v1uns.cs	High entropy of concatenated method names: 'xU6YNrTpfQ', 'MHqYLww1DE', 'IRFSAAuVEM', 'UfiSHJpDRa', 'co0YvMY0kI', 'XS9YpvAFDs', 'tvyY9e2WWn', 'ooMYfhOr4q', 'rKvYhVrSHl', 'kVqYWoZpFC'

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

File created: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49749

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: nzLoHpgAln.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 23F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 43F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 4B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 5B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 5C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 6C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 9F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: AF50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: B3E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: C3E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 2B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: E80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 2C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 2B50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 5260000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 6260000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 6390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 7390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: A050000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: B050000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: B4E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 14A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 3280000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 2FC0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5422	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5754	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Window / User API: threadDelayed 2557	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Window / User API: threadDelayed 3970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Window / User API: threadDelayed 1147
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Window / User API: threadDelayed 6891

Source: C:\Users\user\Desktop\nzLoHpgAln.exe TID: 6368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7216	Thread sleep count: 5422 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7396	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7416	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe TID: 7636	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe TID: 7436	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe TID: 7368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe TID: 7528	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe TID: 8036	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe TID: 7828	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe TID: 7784	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Thread delayed: delay time: 922337203685477

Source: wZWwzQVEakJvEU.exe, 0000000A.00000002.1856276345.0000000009BF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\M
Source: nzLoHpgAln.exe, 00000008.00000002.1857292891.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: wZWwzQVEakJvEU.exe, 0000000E.00000002.1952277135.0000000001680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe"
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory written: C:\Users\user\Desktop\nzLoHpgAln.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory written: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Users\user\Desktop\nzLoHpgAln.exe "C:\Users\user\Desktop\nzLoHpgAln.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpE7EE.tmp"
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process created: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Users\user\Desktop\nzLoHpgAln.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Users\user\Desktop\nzLoHpgAln.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: nzLoHpgAln.exe, 00000008.00000002.1876390947.000000000667F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nzLoHpgAln.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nzLoHpgAln.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7732, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: nzLoHpgAln.exe, 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: nzLoHpgAln.exe, 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: nzLoHpgAln.exe, 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: nzLoHpgAln.exe, 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nzLoHpgAln.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nzLoHpgAln.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7732, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nzLoHpgAln.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nzLoHpgAln.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7732, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	331 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	32 Software Packing	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nzLoHpgAln.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
nzLoHpgAln.exe