Windows Analysis Report K0bg9rZl2L

Overview

General Information

Sample Name: K0bg9rZl2L (renamed file extension from none to exe)
Analysis ID: 452750
MD5: 699e56ea4da0b0865fc33308a8b09df9
SHA1: c32dff686616f747f808a5c0bc67484d4755f568
SHA256: e5805ba9f9119986eb49be00972cb30d5249f8c19c872c4daacb2ad67a157bb5
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.K0bg9rZl2L.exe.3879510.2.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "bookings@simpleitalian.com.au", "Password": "SIpassword101$", "Host": "mail.simpleitalian.com.au"}
Multi AV Scanner detection for domain / URL
Source: bakercost.gq Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for submitted file
Source: K0bg9rZl2L.exe Virustotal: Detection: 36% Perma Link
Source: K0bg9rZl2L.exe ReversingLabs: Detection: 21%
Machine Learning detection for sample
Source: K0bg9rZl2L.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.K0bg9rZl2L.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Exploits:

barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.5a70000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.433dbb8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.5a70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.433dbb8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.698060077.0000000005A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: K0bg9rZl2L.exe PID: 6860, type: MEMORY

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.156.203:443 -> 192.168.2.4:49724 version: TLS 1.0
Source: K0bg9rZl2L.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49757 -> 103.18.109.159:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.156.203 172.67.156.203
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: NET1-AS-APNetVirtuePtyLtdAU NET1-AS-APNetVirtuePtyLtdAU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49757 -> 103.18.109.159:587
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.156.203:443 -> 192.168.2.4:49724 version: TLS 1.0
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
Source: unknown DNS traffic detected: queries for: bakercost.gq
Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: K0bg9rZl2L.exe, 00000006.00000002.915196775.0000000000DC0000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoN
Source: K0bg9rZl2L.exe, 00000006.00000002.915075065.0000000000C72000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: K0bg9rZl2L.exe, 00000006.00000002.915232144.0000000000DEC000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: K0bg9rZl2L.exe, 00000006.00000002.915075065.0000000000C72000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: K0bg9rZl2L.exe, 00000006.00000002.915196775.0000000000DC0000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: K0bg9rZl2L.exe, 00000000.00000002.666708032.0000000000B57000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: K0bg9rZl2L.exe, 00000006.00000002.917276923.0000000002D29000.00000004.00000001.sdmp String found in binary or memory: http://mail.simpleitalian.com.au
Source: K0bg9rZl2L.exe, 00000006.00000002.915075065.0000000000C72000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: K0bg9rZl2L.exe, 00000006.00000002.915196775.0000000000DC0000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodt
Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: K0bg9rZl2L.exe, 00000000.00000002.666708032.0000000000B57000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/BreadcrumbList
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/ListItem
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/NewsArticle
Source: K0bg9rZl2L.exe, 00000000.00000002.667259395.0000000002871000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: K0bg9rZl2L.exe, 00000006.00000002.917276923.0000000002D29000.00000004.00000001.sdmp String found in binary or memory: http://simpleitalian.com.au
Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmp String found in binary or memory: http://tKqrxG.com
Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/CPS0v
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%$
Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: K0bg9rZl2L.exe, 00000000.00000002.667259395.0000000002871000.00000004.00000001.sdmp String found in binary or memory: https://bakercost.gq
Source: K0bg9rZl2L.exe, 00000000.00000003.649941087.0000000000B67000.00000004.00000001.sdmp String found in binary or memory: https://bakercost.gq/
Source: K0bg9rZl2L.exe, 00000000.00000002.667259395.0000000002871000.00000004.00000001.sdmp String found in binary or memory: https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-DA64E
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp String found in binary or memory: https://dash.cloudflare.com/
Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://felix.data.tm-awx.com
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://github.com/ded/script.js
Source: powershell.exe, 00000003.00000003.732891085.0000000005588000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
Source: K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmp String found in binary or memory: https://mab.data.tm-awx.com/rhs
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://quantcast.mgr.consensu.org
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
Source: K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmp String found in binary or memory: https://reachplc.hub.loginradius.com
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://reachplc.hub.loginradius.com&quot;
Source: K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmp String found in binary or memory: https://s2-prod.liverpool.com
Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://s2-prod.liverpool.com/
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://s2-prod.mirror.co.uk/
Source: K0bg9rZl2L.exe, 00000006.00000002.915196775.0000000000DC0000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmp String found in binary or memory: https://secure.widget.cloud.opta.net/v3/css/v3.core.opta-widgets.css
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://static.hotjar.com/c/hotjar-
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://trinitymirror.grapeshot.co.uk/
Source: K0bg9rZl2L.exe, 00000000.00000002.666708032.0000000000B57000.00000004.00000020.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com
Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/champions-league
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/curtis-user
Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/premier-league
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/transfers
Source: K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/cookie-policy/
Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
Source: K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
Source: K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-user-jurgen-klopp-19941053
Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
Source: K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
Source: K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/schedule/
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/search/
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: K0bg9rZl2L.exe, 00000006.00000002.917197533.0000000002CE5000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000006.00000002.917371104.0000000002D55000.00000004.00000001.sdmp String found in binary or memory: https://yBn4IuANygFMcOSp.com
Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmp String found in binary or memory: https://yBn4IuANygFMcOSp.com0
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_027D0870 0_2_027D0870
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_027DD890 0_2_027DD890
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_0285C368 0_2_0285C368
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_028501A2 0_2_028501A2
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_0285E4B8 0_2_0285E4B8
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_0285F510 0_2_0285F510
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_0285AB90 0_2_0285AB90
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_0285D9A0 0_2_0285D9A0
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_028509A8 0_2_028509A8
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_028509B8 0_2_028509B8
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 6_2_00F520F0 6_2_00F520F0
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 6_2_00F56CE8 6_2_00F56CE8
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 6_2_00F537D6 6_2_00F537D6
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 6_2_00F5B130 6_2_00F5B130
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 6_2_00F592F0 6_2_00F592F0
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 6_2_00F57428 6_2_00F57428
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 6_2_00F5E5D8 6_2_00F5E5D8
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 6_2_00F57528 6_2_00F57528
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 6_2_00F9BA18 6_2_00F9BA18
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 6_2_00F96990 6_2_00F96990
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 6_2_027E46A0 6_2_027E46A0
Sample file is different than original file name gathered from version info
Source: K0bg9rZl2L.exe Binary or memory string: OriginalFilename vs K0bg9rZl2L.exe
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWindowsApp1.exe8 vs K0bg9rZl2L.exe
Source: K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameYVAU TjZ.exe2 vs K0bg9rZl2L.exe
Source: K0bg9rZl2L.exe, 00000000.00000002.666138477.0000000000552000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameF67b9O9XfbiW6JN101b0575e.exeR vs K0bg9rZl2L.exe
Source: K0bg9rZl2L.exe, 00000000.00000002.697157152.0000000004E50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs K0bg9rZl2L.exe
Source: K0bg9rZl2L.exe, 00000000.00000002.698716743.0000000006600000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs K0bg9rZl2L.exe
Source: K0bg9rZl2L.exe Binary or memory string: OriginalFilename vs K0bg9rZl2L.exe
Source: K0bg9rZl2L.exe, 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameYVAU TjZ.exe2 vs K0bg9rZl2L.exe
Source: K0bg9rZl2L.exe, 00000006.00000000.665731094.00000000005A2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameF67b9O9XfbiW6JN101b0575e.exeR vs K0bg9rZl2L.exe
Source: K0bg9rZl2L.exe, 00000006.00000002.915282847.0000000000EC0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs K0bg9rZl2L.exe
Source: K0bg9rZl2L.exe, 00000006.00000002.914223785.0000000000938000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs K0bg9rZl2L.exe
Source: K0bg9rZl2L.exe, 00000006.00000002.914884009.0000000000BCA000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs K0bg9rZl2L.exe
Source: K0bg9rZl2L.exe, 00000006.00000002.915392610.0000000000F30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs K0bg9rZl2L.exe
Source: K0bg9rZl2L.exe Binary or memory string: OriginalFilenameF67b9O9XfbiW6JN101b0575e.exeR vs K0bg9rZl2L.exe
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@6/8@3/3
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe File created: C:\Users\user\Desktop\dedd659c48564f729136e943657b6aef.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_01
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe File created: C:\Users\user\AppData\Local\Temp\14906059cf1d40cd99ff18e182ff171d Jump to behavior
Source: K0bg9rZl2L.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: K0bg9rZl2L.exe Virustotal: Detection: 36%
Source: K0bg9rZl2L.exe ReversingLabs: Detection: 21%
Source: unknown Process created: C:\Users\user\Desktop\K0bg9rZl2L.exe 'C:\Users\user\Desktop\K0bg9rZl2L.exe'
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process created: C:\Users\user\Desktop\K0bg9rZl2L.exe C:\Users\user\Desktop\K0bg9rZl2L.exe
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process created: C:\Users\user\Desktop\K0bg9rZl2L.exe C:\Users\user\Desktop\K0bg9rZl2L.exe Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: K0bg9rZl2L.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: K0bg9rZl2L.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Binary contains a suspicious time stamp
Source: K0bg9rZl2L.exe Static PE information: 0xAF2CEA60 [Sat Feb 17 16:46:24 2063 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_027D92C9 push FFFFFFE9h; retf 0_2_027D92CB
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_027DD0E5 push FFFFFF8Bh; iretd 0_2_027DD0F6
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_027DD487 push dword ptr [esp+ecx*2-75h]; ret 0_2_027DD48B
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_02858195 push FFFFFF8Bh; retf 0_2_02858197
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_028581E9 push FFFFFF8Bh; retf 0_2_028581EB
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_028559F8 push esp; retf 0_2_028559F9
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 6_2_0278D95C push eax; ret 6_2_0278D95D
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 6_2_0278E332 push eax; ret 6_2_0278E349

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.5a70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.433dbb8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.698060077.0000000005A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: K0bg9rZl2L.exe PID: 6860, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLLUSER
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4367 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2711 Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Window / User API: threadDelayed 1747 Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Window / User API: threadDelayed 8063 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe TID: 6880 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7112 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe TID: 5984 Thread sleep time: -25825441703193356s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe TID: 5728 Thread sleep count: 1747 > 30 Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe TID: 5728 Thread sleep count: 8063 > 30 Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe TID: 5984 Thread sleep count: 36 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000003.00000003.732891085.0000000005588000.00000004.00000001.sdmp Binary or memory string: k:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp Binary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: powershell.exe, 00000003.00000003.732891085.0000000005588000.00000004.00000001.sdmp Binary or memory string: Hyper-V
Source: K0bg9rZl2L.exe, 00000000.00000002.666708032.0000000000B57000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: K0bg9rZl2L.exe, 00000000.00000002.697157152.0000000004E50000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp Binary or memory string: vmware
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: K0bg9rZl2L.exe, 00000000.00000002.697157152.0000000004E50000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: K0bg9rZl2L.exe, 00000000.00000002.697157152.0000000004E50000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp Binary or memory string: VMwareVBox
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: K0bg9rZl2L.exe, 00000006.00000002.915075065.0000000000C72000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: K0bg9rZl2L.exe, 00000000.00000002.697157152.0000000004E50000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Code function: 0_2_027D41E8 LdrInitializeThunk, 0_2_027D41E8
Enables debug privileges
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Memory written: C:\Users\user\Desktop\K0bg9rZl2L.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Process created: C:\Users\user\Desktop\K0bg9rZl2L.exe C:\Users\user\Desktop\K0bg9rZl2L.exe Jump to behavior
Source: K0bg9rZl2L.exe, 00000006.00000002.915673246.0000000001350000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: K0bg9rZl2L.exe, 00000006.00000002.915673246.0000000001350000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: K0bg9rZl2L.exe, 00000006.00000002.915673246.0000000001350000.00000002.00000001.sdmp Binary or memory string: Progman
Source: K0bg9rZl2L.exe, 00000006.00000002.915673246.0000000001350000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Queries volume information: C:\Users\user\Desktop\K0bg9rZl2L.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Queries volume information: C:\Users\user\Desktop\K0bg9rZl2L.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3b01478.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3ae1458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.K0bg9rZl2L.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3b01478.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3879510.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3879510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmp, type: MEMORY
Yara detected AgentTesla
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3b01478.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3ae1458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.K0bg9rZl2L.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3b01478.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3879510.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3879510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: K0bg9rZl2L.exe PID: 1316, type: MEMORY
Source: Yara match File source: Process Memory Space: K0bg9rZl2L.exe PID: 6860, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\K0bg9rZl2L.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: K0bg9rZl2L.exe PID: 1316, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3b01478.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3ae1458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.K0bg9rZl2L.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3b01478.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3879510.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3879510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmp, type: MEMORY
Yara detected AgentTesla
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3b01478.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3ae1458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.K0bg9rZl2L.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3b01478.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3879510.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.K0bg9rZl2L.exe.3879510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: K0bg9rZl2L.exe PID: 1316, type: MEMORY
Source: Yara match File source: Process Memory Space: K0bg9rZl2L.exe PID: 6860, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs