File name:	ll.exe
Full analysis:	https://app.any.run/tasks/5ceba2e3-4565-43cd-a55d-47ed611f9f42
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 14, 2024, 01:11:22
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader stealer arch-doc arch-exec vmprotect
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	56639CE27CC7D7EB971C0CCBD0176C88
SHA1:	1146FA062B6E794220B785D25B74D87A658BBC4B
SHA256:	248210AB5672DABF88D101D810BD3E8A9050DF0C2D026A19F92576AEBFEB23F4
SSDEEP:	6144:GcQEwhWfK91Iho2C+8DbLbTz2FpOAp6pdb7xSv9qCU1N:G9EIkm2CF3z2FpOh5Sv98

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:08:19 15:44:24+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	252928
InitializedDataSize:	547840
UninitializedDataSize:	-
EntryPoint:	0x36850
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	5.0.0.4
ProductVersionNumber:	1.6.0.0
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Roblox Corporation
FileDescription:	ECS:R Bootstrapper
FileVersion:	5, 0, 0, 004
LegalCopyright:	(C) 2012 Roblox Corporation. All rights reserved.
OriginalFileName:	Roblox.exe
ProductName:	ECS:R Bootstrapper
ProductVersion:	1, 6, 0, 0


(PID) Process:	(6696) ll.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\ROBLOX Corporation\Roblox
Operation:	write	Name:	CPath
Value: C:\Users\admin\AppData\LocalLow\rbxcsettings.rbx
(PID) Process:	(6696) ll.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\ROBLOX Corporation\Roblox
Operation:	delete value	Name:	curStudioVer
Value:
(PID) Process:	(6696) ll.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\ROBLOX Corporation\Roblox
Operation:	delete value	Name:	curStudioUrl
Value:
(PID) Process:	(6696) ll.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6696) ll.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6696) ll.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6696) ll.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{65D12F6E-CAE5-4AF4-81F2-9BBD441AB249}
Operation:	write	Name:	AppName
Value: RobloxPlayerLauncher.exe
(PID) Process:	(6696) ll.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{65D12F6E-CAE5-4AF4-81F2-9BBD441AB249}
Operation:	write	Name:	Policy
Value: 3
(PID) Process:	(6696) ll.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{65D12F6E-CAE5-4AF4-81F2-9BBD441AB249}
Operation:	write	Name:	AppPath
Value: C:\Users\admin\AppData\Local\ECSR\Versions\ECSRClient230824\
(PID) Process:	(6696) ll.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\ROBLOX Corporation\Roblox
Operation:	write	Name:	curQTStudioVer
Value:

PID	Process	Filename		Type
6696	ll.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\WindowsBootstrapperSettings[1].json		binary
		MD5:A84B13E2C16BF4F34AE2B8BAF90B88D7	SHA256:2B5067D9D65EF10CAF355D42E45B72A2ACD557FD9BC5A6474B38E5FCAB3E0195
6696	ll.exe	C:\Users\admin\AppData\Local\Temp\RBX-EEA1371F.tmp		compressed
		MD5:04703DC98F385BED4A5C71C1C2C50032	SHA256:74971652DCA12F48DAE7678FACF6E1C5538D1D237CE7535FA41697C0DBD751DD
6696	ll.exe	C:\Users\admin\AppData\Local\ECSR\Versions\ECSRClient230824\RobloxPlayerLauncher.exe		executable
		MD5:56639CE27CC7D7EB971C0CCBD0176C88	SHA256:248210AB5672DABF88D101D810BD3E8A9050DF0C2D026A19F92576AEBFEB23F4
6696	ll.exe	C:\Users\admin\AppData\Local\ECSR\Versions\ECSRClient230824\NPRobloxProxy.dll		executable
		MD5:BFAF9EC4443B5F4DC3A4D958F3C7286A	SHA256:6611207695BA5D48F1FDD42501DD448B59BF830684BD16A00C91FD75AB9EA1EE
6696	ll.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\GetCurrentClientVersionUpload[1].txt		text
		MD5:E51FC90B54F900EEC9B29CBC662299D6	SHA256:E8CD0BFC18925596BABB0B07ABA79D57647A5DD20367270C74176730530790E8
6696	ll.exe	C:\Users\admin\AppData\LocalLow\rbxcsettings.rbx		text
		MD5:818B469A34FD6BF9FF2C4FA463410A55	SHA256:2E81AD6E973D1B9C66E30393EFFCBE0302E15B54F183E149C1047799E88E0B1E
6696	ll.exe	C:\Users\admin\AppData\Local\ECSR\Downloads\1daf4eccbd4abee		compressed
		MD5:04703DC98F385BED4A5C71C1C2C50032	SHA256:74971652DCA12F48DAE7678FACF6E1C5538D1D237CE7535FA41697C0DBD751DD
6696	ll.exe	C:\Users\admin\AppData\Local\Temp\RBX-217164C1.tmp		compressed
		MD5:0243BB4550B79C97EA553AAF386B4055	SHA256:1F5B70B45AFA9FEBE00123AB795FFE3FF7395324871570B12AFE4C94A5F31E04
6696	ll.exe	C:\Users\admin\AppData\Local\ECSR\Downloads\1daf4eccbd0d5a4		compressed
		MD5:0243BB4550B79C97EA553AAF386B4055	SHA256:1F5B70B45AFA9FEBE00123AB795FFE3FF7395324871570B12AFE4C94A5F31E04
6696	ll.exe	C:\Users\admin\AppData\Local\ECSR\Versions\ECSRClient230824\RobloxProxy.dll		executable
		MD5:BECBFD4C7362015E7A2C2E7E24EED94A	SHA256:FED04851FF547EFDDDED3B710A9A3A097E6125B4E8826F9B43EC182494421EAB

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6944	svchost.exe	GET	200	2.20.245.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6696	ll.exe	GET	200	188.114.97.3:80	http://ecsr.io/BootstrapperDeployment/ECSRClient230824-content-music.zip	unknown	—	—	whitelisted
6696	ll.exe	GET	200	188.114.97.3:80	http://ecsr.io/BootstrapperDeployment/ECSRClient230824-redist.zip	unknown	—	—	whitelisted
6696	ll.exe	GET	200	188.114.97.3:80	http://ecsr.io/BootstrapperDeployment/ECSRClient230824-content-textures3.zip	unknown	—	—	whitelisted
6696	ll.exe	GET	200	188.114.97.3:80	http://ecsr.io/BootstrapperDeployment/ECSRClient230824-content-terrain.zip	unknown	—	—	whitelisted
—	—	GET	200	188.114.97.3:443	https://ecsr.io/apisite/versioncompatibility/GetCurrentClientVersionUpload/?apiKey=76e5a40c-3ae1-4028-9f10-7c62520bd94b&binaryType=WindowsPlayer	unknown	—	—	—
5488	MoUsoCoreWorker.exe	GET	200	2.20.245.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3524	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
6944	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5488	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3524	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.23.209.185:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6696	ll.exe	188.114.97.3:443	ecsr.io	CLOUDFLARENET	NL	unknown
6944	svchost.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5488	MoUsoCoreWorker.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
3524	RUXIMICS.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146	whitelisted
www.bing.com	2.23.209.185 2.23.209.189 2.23.209.133 2.23.209.130 2.23.209.187	whitelisted
google.com	142.250.186.142	whitelisted
ecsr.io	188.114.97.3 188.114.96.3	unknown
crl.microsoft.com	2.20.245.137 2.20.245.138	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
edge.microsoft.com	13.107.21.239 204.79.197.239	whitelisted
edge-mobile-static.azureedge.net	13.107.246.45	whitelisted
business.bing.com	13.107.6.158	whitelisted

PID	Process	Class	Message
6696	ll.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Potentially Bad Traffic	ET INFO Possible Chrome Plugin install
616	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
616	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)

General Info

ll.exe

56639CE27CC7D7EB971C0CCBD0176C88

1146FA062B6E794220B785D25B74D87A658BBC4B

248210AB5672DABF88D101D810BD3E8A9050DF0C2D026A19F92576AEBFEB23F4

6144:GcQEwhWfK91Iho2C+8DbLbTz2FpOAp6pdb7xSv9qCU1N:G9EIkm2CF3z2FpOh5Sv98

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

SUSPICIOUS

Detected use of alternative data streams (AltDS)

Reads security settings of Internet Explorer

Creates/Modifies COM task schedule object

Process drops legitimate windows executable

The process drops C-runtime libraries

Checks Windows Trust Settings

Process requests binary or script from the Internet

Executable content was dropped or overwritten

Potential Corporate Privacy Violation

Creates a software uninstall entry

The process checks if it is being run in the virtual environment

INFO

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Manual execution by a user

Process checks computer location settings

Create files in a temporary directory

Checks supported languages

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

Reads the computer name

Reads Microsoft Office registry keys

Reads Environment values

VMProtect protector has been detected

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings