Windows Analysis Report
rliquida____odefaturadepagamento.exe

Overview

General Information

Sample name: rliquida____odefaturadepagamento.exe
Analysis ID: 1529044
MD5: 383574fcb2a1b030666cb7c3be603445
SHA1: 2fcf52b141d329798d4d9c6fc1c2b3326a8ccdc9
SHA256: b0a9e6a7deccda1f29e48f243f15e225f59e9fe11e7ce25f9433e3f8d233ad6c
Tags: exeuser-Porcupine
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000002.00000002.2355015844.0000000000702000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@setarehatlaspars.com", "Password": "Set@reh1398", "Host": "webmail.setarehatlaspars.com", "Port": "587", "Version": "5.1"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe ReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: rliquida____odefaturadepagamento.exe ReversingLabs: Detection: 26%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: rliquida____odefaturadepagamento.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: rliquida____odefaturadepagamento.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49739 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49786 version: TLS 1.0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior
Source: rliquida____odefaturadepagamento.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2064357881.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2044343749.0000000003398000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2195287029.0000000004170000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2177753295.00000000032E5000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2195287029.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000006.00000002.2266200449.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000006.00000002.2290932961.0000000004457000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2064357881.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2044343749.0000000003398000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2195287029.0000000004170000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2177753295.00000000032E5000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2195287029.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000006.00000002.2266200449.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000006.00000002.2290932961.0000000004457000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2063179296.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2063179296.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 4x nop then jmp 0585942Ch 0_2_058590CD
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 4x nop then jmp 0585942Ch 0_2_058590D8
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 4x nop then jmp 05861E30h 0_2_05861D73
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 4x nop then jmp 05861E30h 0_2_05861D78
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 4x nop then jmp 0586813Eh 0_2_05867F06
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 4x nop then jmp 0586813Eh 0_2_05867E08
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 4x nop then jmp 0586813Eh 0_2_05867E18
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_058660F0
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_058660F8
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_0593CE18
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then jmp 058B942Ch 3_2_058B90D8
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then jmp 058B942Ch 3_2_058B90D3
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then jmp 058C1E30h 3_2_058C1D78
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then jmp 058C1E30h 3_2_058C1D72
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then jmp 058C813Eh 3_2_058C7F06
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then jmp 058C813Eh 3_2_058C7E08
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then jmp 058C813Eh 3_2_058C7E18
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 3_2_058C60F8
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 3_2_058C60F0
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 3_2_0599CE18
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then jmp 059A942Ch 6_2_059A90A4
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then jmp 059A942Ch 6_2_059A90D8
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then jmp 059B1E30h 6_2_059B1D78
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then jmp 059B1E30h 6_2_059B1D71
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then jmp 059B813Eh 6_2_059B7F06
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then jmp 059B813Eh 6_2_059B7E18
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then jmp 059B813Eh 6_2_059B7E08
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 6_2_059B60F8
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 6_2_059B60F0
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 6_2_05D3CE18

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rliquida____odefaturadepagamento.exe.41da780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Koerxmxvkh.exe.41e8a00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49709 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49742 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49801 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49714 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49754 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49708 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49748 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49785 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49743 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49796 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49853 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49855 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49876 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49739 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49786 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: InstallUtil.exe, 00000002.00000002.2357847009.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000027B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.000000000278D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.000000000279A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000026FA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D42000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.000000000254B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.0000000002510000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.00000000024E7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.0000000002454000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.000000000253D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.00000000024F5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.0000000002502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000002.00000002.2357847009.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000027B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.000000000278D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.000000000273C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.000000000279A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000026FA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.0000000002641000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D42000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002C88000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.000000000254B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000004.00000002.2555666774.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.0000000002391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: InstallUtil.exe, 00000002.00000002.2357847009.0000000002641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/0
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2044343749.0000000003021000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.000000000429E000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2355015844.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2195287029.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2177753295.0000000003366000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2195287029.0000000004024000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000006.00000002.2266200449.0000000003786000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000006.00000002.2290932961.00000000044B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: InstallUtil.exe, 00000002.00000002.2357847009.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000027B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.000000000278D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.000000000279A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.0000000002712000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D42000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.000000000254B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.0000000002510000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.00000000024E7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.000000000246C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.000000000253D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.00000000024F5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.0000000002502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2044343749.0000000003021000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2044343749.0000000003398000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.0000000002641000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2177753295.00000000032E5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000006.00000002.2266200449.0000000003705000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.0000000002391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2063179296.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2063179296.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2195287029.0000000004170000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000006.00000002.2290932961.0000000004600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2063179296.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000002.00000002.2357847009.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000027B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.000000000278D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.000000000273C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.000000000279A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000026FA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D42000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.000000000254B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.0000000002510000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.00000000024E7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.0000000002454000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.000000000253D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2044343749.0000000003021000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.000000000429E000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2355015844.0000000000702000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000026FA000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2195287029.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2177753295.0000000003366000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2195287029.0000000004024000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000006.00000002.2266200449.0000000003786000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000006.00000002.2290932961.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.0000000002454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000007.00000002.2548344456.0000000002497000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: InstallUtil.exe, 00000002.00000002.2357847009.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000027B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.000000000278D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.000000000273C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2357847009.000000000279A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D42000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2555666774.0000000002D50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.000000000254B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.0000000002510000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.00000000024E7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.000000000253D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.00000000024F5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.0000000002502000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2548344456.0000000002497000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2063179296.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2063179296.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2044343749.0000000003021000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2177753295.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000006.00000002.2266200449.00000000034C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2063179296.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57721
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 57744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57737
Source: unknown Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 57737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57746
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57744
Source: unknown Network traffic detected: HTTP traffic on port 57746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rliquida____odefaturadepagamento.exe.41da780.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rliquida____odefaturadepagamento.exe.41da780.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rliquida____odefaturadepagamento.exe.41da780.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rliquida____odefaturadepagamento.exe.41da780.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.Koerxmxvkh.exe.41e8a00.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Koerxmxvkh.exe.41e8a00.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Koerxmxvkh.exe.41e8a00.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Koerxmxvkh.exe.41e8a00.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.Koerxmxvkh.exe.41e8a00.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Koerxmxvkh.exe.41e8a00.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Koerxmxvkh.exe.41e8a00.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Koerxmxvkh.exe.41e8a00.3.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.2195287029.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.2195287029.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.2177753295.0000000003366000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000006.00000002.2266200449.0000000003786000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.2355015844.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2355015844.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.2195287029.0000000004024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.2195287029.0000000004024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2060230016.000000000429E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2060230016.000000000429E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000006.00000002.2290932961.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.2290932961.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2044343749.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: rliquida____odefaturadepagamento.exe PID: 3200, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rliquida____odefaturadepagamento.exe PID: 3200, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 2448, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 2448, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Koerxmxvkh.exe PID: 1440, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Koerxmxvkh.exe PID: 1440, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Koerxmxvkh.exe PID: 3168, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Koerxmxvkh.exe PID: 3168, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05864700 NtResumeThread, 0_2_05864700
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05863250 NtProtectVirtualMemory, 0_2_05863250
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_058646F9 NtResumeThread, 0_2_058646F9
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05863249 NtProtectVirtualMemory, 0_2_05863249
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058C4700 NtResumeThread, 3_2_058C4700
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058C3250 NtProtectVirtualMemory, 3_2_058C3250
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058C46F9 NtResumeThread, 3_2_058C46F9
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058C3249 NtProtectVirtualMemory, 3_2_058C3249
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059B4700 NtResumeThread, 6_2_059B4700
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059B3250 NtProtectVirtualMemory, 6_2_059B3250
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059B46F8 NtResumeThread, 6_2_059B46F8
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059B3249 NtProtectVirtualMemory, 6_2_059B3249
Detected potential crypto function
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_02E149F0 0_2_02E149F0
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_02E17652 0_2_02E17652
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_02E1C418 0_2_02E1C418
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_02E17D20 0_2_02E17D20
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_02E149E1 0_2_02E149E1
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_02E17652 0_2_02E17652
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_02E17652 0_2_02E17652
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_02E17D12 0_2_02E17D12
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0578CD58 0_2_0578CD58
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0578142C 0_2_0578142C
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0578C058 0_2_0578C058
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05780040 0_2_05780040
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0578C414 0_2_0578C414
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05785F50 0_2_05785F50
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05785F41 0_2_05785F41
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05782F30 0_2_05782F30
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05784140 0_2_05784140
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0578412F 0_2_0578412F
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0578B870 0_2_0578B870
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0578C048 0_2_0578C048
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0578001F 0_2_0578001F
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05780007 0_2_05780007
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0578B880 0_2_0578B880
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0585B8E0 0_2_0585B8E0
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0585A828 0_2_0585A828
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05855B78 0_2_05855B78
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0585CDEA 0_2_0585CDEA
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0585CDF8 0_2_0585CDF8
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0585B8D0 0_2_0585B8D0
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05860040 0_2_05860040
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05867F06 0_2_05867F06
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05867E08 0_2_05867E08
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05867E18 0_2_05867E18
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0586F089 0_2_0586F089
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0586F098 0_2_0586F098
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05860007 0_2_05860007
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05862391 0_2_05862391
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_058623A0 0_2_058623A0
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0587C530 0_2_0587C530
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_058787E0 0_2_058787E0
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_058792C8 0_2_058792C8
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05870007 0_2_05870007
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05870040 0_2_05870040
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_058792B8 0_2_058792B8
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05878896 0_2_05878896
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0587C857 0_2_0587C857
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0587DB28 0_2_0587DB28
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05930006 0_2_05930006
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05930040 0_2_05930040
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05BED0C0 0_2_05BED0C0
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05BD0006 0_2_05BD0006
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05BD0040 0_2_05BD0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_04AC46D9 2_2_04AC46D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_04ACB7E2 2_2_04ACB7E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_04ACC761 2_2_04ACC761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_04AC6748 2_2_04AC6748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_04ACC080 2_2_04ACC080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_04AC6120 2_2_04AC6120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_04ACB338 2_2_04ACB338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_04ACBDA0 2_2_04ACBDA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_04AC9868 2_2_04AC9868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_04ACBAC0 2_2_04ACBAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_04ACCA41 2_2_04ACCA41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_04ACB503 2_2_04ACB503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_04AC3570 2_2_04AC3570
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_014249F0 3_2_014249F0
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_01427350 3_2_01427350
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_0142EAB0 3_2_0142EAB0
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_01427D20 3_2_01427D20
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_0142C418 3_2_0142C418
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_014249E1 3_2_014249E1
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_01427D12 3_2_01427D12
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_01425788 3_2_01425788
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_01425798 3_2_01425798
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_01427350 3_2_01427350
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_01427350 3_2_01427350
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_053F0048 3_2_053F0048
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_053F0000 3_2_053F0000
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057ECD59 3_2_057ECD59
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057E142C 3_2_057E142C
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057EC058 3_2_057EC058
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057E0040 3_2_057E0040
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057EC414 3_2_057EC414
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057E5F50 3_2_057E5F50
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057E5F41 3_2_057E5F41
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057E2F30 3_2_057E2F30
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057E4140 3_2_057E4140
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057E412F 3_2_057E412F
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057EB870 3_2_057EB870
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057EC048 3_2_057EC048
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057E001F 3_2_057E001F
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057E0007 3_2_057E0007
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057EB880 3_2_057EB880
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058BB8E0 3_2_058BB8E0
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058BA828 3_2_058BA828
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058B5B78 3_2_058B5B78
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058BCDEB 3_2_058BCDEB
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058BCDF8 3_2_058BCDF8
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058BB8D0 3_2_058BB8D0
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058C0040 3_2_058C0040
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058CDC98 3_2_058CDC98
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058CDCA8 3_2_058CDCA8
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058C7F06 3_2_058C7F06
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058C7E08 3_2_058C7E08
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058C7E18 3_2_058C7E18
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058C0007 3_2_058C0007
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058C2391 3_2_058C2391
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058C23A0 3_2_058C23A0
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058DC530 3_2_058DC530
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058D87E0 3_2_058D87E0
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058DDB28 3_2_058DDB28
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058D0013 3_2_058D0013
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058D0040 3_2_058D0040
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058D92B8 3_2_058D92B8
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058D92C8 3_2_058D92C8
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058D8896 3_2_058D8896
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058DC857 3_2_058DC857
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_05964810 3_2_05964810
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_05964801 3_2_05964801
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_05990006 3_2_05990006
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_05990040 3_2_05990040
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_05C4D0C0 3_2_05C4D0C0
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_05C30040 3_2_05C30040
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_05C30023 3_2_05C30023
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02A8B328 4_2_02A8B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02A8C193 4_2_02A8C193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02A86108 4_2_02A86108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02A8C753 4_2_02A8C753
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02A8C470 4_2_02A8C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02A84AD9 4_2_02A84AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02A8CA33 4_2_02A8CA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02A8BBD3 4_2_02A8BBD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02A86880 4_2_02A86880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02A89858 4_2_02A89858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02A8BEB0 4_2_02A8BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02A8B4F3 4_2_02A8B4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02A83573 4_2_02A83573
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_019EEAB0 6_2_019EEAB0
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_019E4AA6 6_2_019E4AA6
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_019E7D20 6_2_019E7D20
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_019EC418 6_2_019EC418
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_019E21B4 6_2_019E21B4
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_019E2304 6_2_019E2304
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_019E22AF 6_2_019E22AF
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_019E7D14 6_2_019E7D14
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_019E5798 6_2_019E5798
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_019E5788 6_2_019E5788
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_0598CD58 6_2_0598CD58
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_0598142C 6_2_0598142C
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_0598C058 6_2_0598C058
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05980040 6_2_05980040
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_0598C414 6_2_0598C414
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05982F30 6_2_05982F30
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05985F50 6_2_05985F50
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05985F41 6_2_05985F41
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_0598412F 6_2_0598412F
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05984140 6_2_05984140
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_0598B880 6_2_0598B880
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05980006 6_2_05980006
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_0598C048 6_2_0598C048
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_0598B870 6_2_0598B870
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059AB8E0 6_2_059AB8E0
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059AA828 6_2_059AA828
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059A5B78 6_2_059A5B78
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059ACDF8 6_2_059ACDF8
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059ACDEB 6_2_059ACDEB
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059AB8D0 6_2_059AB8D0
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059B0040 6_2_059B0040
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059BDC98 6_2_059BDC98
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059BDCA8 6_2_059BDCA8
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059B7F06 6_2_059B7F06
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059B7E18 6_2_059B7E18
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059B7E08 6_2_059B7E08
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059B0007 6_2_059B0007
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059B2391 6_2_059B2391
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_059B23A0 6_2_059B23A0
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05A8C522 6_2_05A8C522
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05A887E0 6_2_05A887E0
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05A80006 6_2_05A80006
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05A80040 6_2_05A80040
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05A892B8 6_2_05A892B8
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05A892C8 6_2_05A892C8
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05A88896 6_2_05A88896
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05A8C857 6_2_05A8C857
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05A8DB38 6_2_05A8DB38
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05D04810 6_2_05D04810
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05D04801 6_2_05D04801
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05D30040 6_2_05D30040
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05D30007 6_2_05D30007
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05FED0C0 6_2_05FED0C0
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05FD0040 6_2_05FD0040
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05FD0006 6_2_05FD0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02216108 7_2_02216108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0221C190 7_2_0221C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02216730 7_2_02216730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0221C751 7_2_0221C751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0221C470 7_2_0221C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0221B4FB 7_2_0221B4FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02213570 7_2_02213570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0221CA31 7_2_0221CA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02214AD9 7_2_02214AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0221BBD2 7_2_0221BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02219858 7_2_02219858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0221BEB0 7_2_0221BEB0
Sample file is different than original file name gathered from version info
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2064357881.0000000005A40000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs rliquida____odefaturadepagamento.exe
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2063179296.00000000057F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs rliquida____odefaturadepagamento.exe
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2062593680.0000000005690000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamePkfbundhp.dll" vs rliquida____odefaturadepagamento.exe
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2044343749.0000000003021000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs rliquida____odefaturadepagamento.exe
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2044343749.0000000003021000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rliquida____odefaturadepagamento.exe
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.000000000429E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePkfbundhp.dll" vs rliquida____odefaturadepagamento.exe
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs rliquida____odefaturadepagamento.exe
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs rliquida____odefaturadepagamento.exe
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs rliquida____odefaturadepagamento.exe
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rliquida____odefaturadepagamento.exe
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2041283011.000000000121E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs rliquida____odefaturadepagamento.exe
Source: rliquida____odefaturadepagamento.exe, 00000000.00000000.2029036205.00000000009F2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameLzstsk.exe. vs rliquida____odefaturadepagamento.exe
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2044343749.0000000003398000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs rliquida____odefaturadepagamento.exe
Source: rliquida____odefaturadepagamento.exe Binary or memory string: OriginalFilenameLzstsk.exe. vs rliquida____odefaturadepagamento.exe
Uses 32bit PE files
Source: rliquida____odefaturadepagamento.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rliquida____odefaturadepagamento.exe.41da780.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rliquida____odefaturadepagamento.exe.41da780.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rliquida____odefaturadepagamento.exe.41da780.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rliquida____odefaturadepagamento.exe.41da780.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.Koerxmxvkh.exe.41e8a00.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Koerxmxvkh.exe.41e8a00.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Koerxmxvkh.exe.41e8a00.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Koerxmxvkh.exe.41e8a00.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.Koerxmxvkh.exe.41e8a00.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Koerxmxvkh.exe.41e8a00.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Koerxmxvkh.exe.41e8a00.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Koerxmxvkh.exe.41e8a00.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.2195287029.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.2195287029.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.2177753295.0000000003366000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000006.00000002.2266200449.0000000003786000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.2355015844.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2355015844.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.2195287029.0000000004024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.2195287029.0000000004024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2060230016.000000000429E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2060230016.000000000429E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000006.00000002.2290932961.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.2290932961.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2044343749.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: rliquida____odefaturadepagamento.exe PID: 3200, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rliquida____odefaturadepagamento.exe PID: 3200, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: InstallUtil.exe PID: 2448, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 2448, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Koerxmxvkh.exe PID: 1440, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Koerxmxvkh.exe PID: 1440, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Koerxmxvkh.exe PID: 3168, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Koerxmxvkh.exe PID: 3168, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: rliquida____odefaturadepagamento.exe, InfoClassRule.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, XZqr3KxXrV2Z3s67Q8Y.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, XZqr3KxXrV2Z3s67Q8Y.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, XZqr3KxXrV2Z3s67Q8Y.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, XZqr3KxXrV2Z3s67Q8Y.cs Cryptographic APIs: 'CreateDecryptor'
Source: rliquida____odefaturadepagamento.exe, TaskInitializer.cs Task registration methods: 'CreateVisitor', 'CreateParser', 'RegisterVisitor'
Source: 0.2.rliquida____odefaturadepagamento.exe.4029550.4.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.rliquida____odefaturadepagamento.exe.4029550.4.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.rliquida____odefaturadepagamento.exe.4029550.4.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.rliquida____odefaturadepagamento.exe.4029550.4.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.rliquida____odefaturadepagamento.exe.4029550.4.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.rliquida____odefaturadepagamento.exe.4029550.4.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.rliquida____odefaturadepagamento.exe.4029550.4.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.rliquida____odefaturadepagamento.exe.4029550.4.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rliquida____odefaturadepagamento.exe.4029550.4.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.rliquida____odefaturadepagamento.exe.4029550.4.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: classification engine Classification label: mal100.troj.evad.winEXE@24/3@2/2
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe File created: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2072:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1488:120:WilError_03
Source: rliquida____odefaturadepagamento.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rliquida____odefaturadepagamento.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: rliquida____odefaturadepagamento.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe File read: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe "C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe"
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe "C:\Users\user\AppData\Roaming\Koerxmxvkh.exe"
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe "C:\Users\user\AppData\Roaming\Koerxmxvkh.exe"
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: rliquida____odefaturadepagamento.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: rliquida____odefaturadepagamento.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: rliquida____odefaturadepagamento.exe Static file information: File size 2386432 > 1048576
Source: rliquida____odefaturadepagamento.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x246000
Source: rliquida____odefaturadepagamento.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2064357881.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2044343749.0000000003398000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2195287029.0000000004170000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2177753295.00000000032E5000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2195287029.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000006.00000002.2266200449.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000006.00000002.2290932961.0000000004457000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2064357881.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2044343749.0000000003398000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2195287029.0000000004170000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2177753295.00000000032E5000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2195287029.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000006.00000002.2266200449.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000006.00000002.2290932961.0000000004457000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2063179296.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2063179296.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, XZqr3KxXrV2Z3s67Q8Y.cs .Net Code: Type.GetTypeFromHandle(yM8CUWipG5bB0IVpVFZ.SKTsr45snK(16777265)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(yM8CUWipG5bB0IVpVFZ.SKTsr45snK(16777259)),Type.GetTypeFromHandle(yM8CUWipG5bB0IVpVFZ.SKTsr45snK(16777263))})
.NET source code contains potential unpacker
Source: rliquida____odefaturadepagamento.exe, StateClass.cs .Net Code: VisitStub System.AppDomain.Load(byte[])
Source: 0.2.rliquida____odefaturadepagamento.exe.4029550.4.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.rliquida____odefaturadepagamento.exe.4029550.4.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.rliquida____odefaturadepagamento.exe.4029550.4.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.rliquida____odefaturadepagamento.exe.5790000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rliquida____odefaturadepagamento.exe.4105d20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rliquida____odefaturadepagamento.exe.4029550.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2266200449.0000000003499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2063013108.0000000005790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2060230016.0000000004029000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2044343749.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2177753295.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rliquida____odefaturadepagamento.exe PID: 3200, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Koerxmxvkh.exe PID: 1440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Koerxmxvkh.exe PID: 3168, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_02E1601F push ss; iretd 0_2_02E16036
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_02E17610 push eax; ret 0_2_02E17611
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05500D13 push eax; iretd 0_2_05500D1D
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05502FE0 pushad ; retf 0_2_05503031
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05502FE2 pushad ; retf 0_2_05503031
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05786E2C push E8055232h; retf 0_2_05786E31
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05788278 pushad ; iretd 0_2_05788279
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0578827A push eax; iretd 0_2_05788281
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0585A790 pushfd ; iretd 0_2_0585A791
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0585A710 push esp; iretd 0_2_0585A711
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_058731F4 push ebp; iretd 0_2_058731FB
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_0587322F push ds; iretd 0_2_05873232
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Code function: 0_2_05BD2035 push ebp; ret 0_2_05BD2038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_04ACACDF push dword ptr [ebp+ebx-75h]; iretd 2_2_04ACACAD
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_01427610 push eax; ret 3_2_01427611
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057E6E2C push E8057832h; retf 3_2_057E6E31
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057E827A push eax; iretd 3_2_057E8281
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_057E8278 pushad ; iretd 3_2_057E8279
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058B4810 push esp; retf 3_2_058B481D
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058BA790 pushfd ; iretd 3_2_058BA791
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058BA710 push esp; iretd 3_2_058BA711
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058D31F4 push ebp; iretd 3_2_058D31FB
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_058D322F push ds; iretd 3_2_058D3232
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_05960718 pushfd ; ret 3_2_05960725
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_05C315B5 push ss; ret 3_2_05C315C8
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 3_2_05C32035 push ebp; ret 3_2_05C32038
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_019E601F push ss; iretd 6_2_019E6036
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_019E7610 push eax; ret 6_2_019E7611
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05986E2C push E8058E32h; retf 6_2_05986E31
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_05988278 pushad ; iretd 6_2_05988279
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Code function: 6_2_0598827A push eax; iretd 6_2_05988281
Source: 0.2.rliquida____odefaturadepagamento.exe.5690000.8.raw.unpack, PwYLRVuMFkfydfAmtu2.cs High entropy of concatenated method names: 'WTbuETjKxW', 'T7fpDZLqh9pwpmj3AQI', 'nh1dDiLbXvCpERC2pcL', 'PLodYnLOn2mIb1vEsvD', 'fjUGfILzIwYuGc2Ppds', 'zBJxQ0MSQvPMBp6alps', 'kcykWrL6cGV5qkp9R4n', 'KaZ5UvLf2mKPtWD2SFD'
Source: 0.2.rliquida____odefaturadepagamento.exe.5690000.8.raw.unpack, tqPNnXvyZl5mgsjm3ri.cs High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'JPgvCn1scf', 'NtProtectVirtualMemory', 'XQM3wrFXsIvNwYQqwOt', 'AgvDU7FHLa2c7V9R2YA', 'OvdjiXFruLhQS6wj9Bh', 'Sp28aFFguwFhJgHRZJM'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, AssemblyLoader.cs High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'lwZuSfrRxHaDYHY3o6T'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, tU19i5v3X0a3QxEpZnT.cs High entropy of concatenated method names: 'V02vhvKvH2', 'vVbva67IKy', 'qakvwoZXC8', 'EravP9OOV6', 'V8jvo3Y2PR', 'F7KvN8BNKC', 'hCkveKTvt5', 'Rrlv4smfEh', 'qSgvJUheM5', 'XgJv545vEp'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, vorraPaBnFLSUINRFL.cs High entropy of concatenated method names: 'WRdTTS7UV', 'vc2PMXVdi', 'j2vNJ20OK', 'N2FemU3s7', 'wwewHskL3', 'HWBu00k6JUjcMOMgiHQ', 'FU4TdhkfolInVfFcjeo', 'dx9SoWkqwAjSJTxcsXE', 'TeRoeVkbBZ2tpFoGVsP', 'M17FAtkOFyYF51sepuW'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, KaEv09xpkA93hWHWWQw.cs High entropy of concatenated method names: 'goFsEOHwNf', 'GD1w8JgaMeRWXnqBphn', 'YXJbfegdwvbQpqOYo8x', 'BsSAf6gw3ugNyoiQA37', 'g6sYL9gT3OoW3TkEjwV', 'Y23PXQghl7OdXIPFmlC', 'n5VgQUgi3cZliogr25F', 'UGdmyRgPkENBT6jOMxq'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, IvjIAt3R8PRYkMclbQq.cs High entropy of concatenated method names: 'AGF3WpP7d2', 'upP32iSM8o', 'dPW3s5bWdI', 'xKq3twYHaa', 'L0sRC2pWeNn0EBcCVhl', 'waL6VLp2pZlGEcIEZKc', 'v4uCT3pB3tAwExpiQ3Z', 'jb5ePSp0d9nvGhmFMMa', 'p0pJl0pm58dHOU8RB4U', 'ANubdOp1iSsfq3DRjbY'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, BuLBg33cLf4PSK5wPH3.cs High entropy of concatenated method names: 'EcE3kpAm5H', 'NCdiBVEVyXfO1Sk4jIO', 'H0gcgoEjfSwiktCxuD0', 'RMbgk3E75RykrYlGPYk', 'mR39anEZFB9RU5QJF1a', 'lZL6iqEmuJH4919sTrt', 'ES1Q3EE1AyOfkCeYpd2'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, J7JoPf3b0qgI8pTx4yv.cs High entropy of concatenated method names: 'w6u3zGY4kR', 'DyhxUhjF94', 'wn6xSgLRmx', 'THECRxlTn2Rvm6GfrcS', 'gNE7aTlP7BJLvfWp3Xb', 'xap9KdldbVSP78mgJMR', 'e19wHllwPGkWHdF8frp', 'Ju7mmxlovBRcngHurUw', 'raRl96lNL3GoBj3xiTO', 'GZngQNleVnmpOt1UrSQ'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, PwYLRVuMFkfydfAmtu2.cs High entropy of concatenated method names: 'WTbuETjKxW', 'T7fpDZLqh9pwpmj3AQI', 'nh1dDiLbXvCpERC2pcL', 'PLodYnLOn2mIb1vEsvD', 'fjUGfILzIwYuGc2Ppds', 'zBJxQ0MSQvPMBp6alps', 'kcykWrL6cGV5qkp9R4n', 'KaZ5UvLf2mKPtWD2SFD'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, zKYmpM3lWEsNXl1Kftq.cs High entropy of concatenated method names: 'Isy3g6dqe6', 'gId3XIoykg', 'f7xRsdpult5J8kKn4ji', 'SJP3RqpvauN6xvkbWwg', 'LcmE4mpQl0wsdcbQU7m', 'eIfu1qp970lqRhBvjsf', 'XM7ixop3jUXPMAg7u59', 'WOjNi8pxTCGPQoLDZhu', 'Vp8HFDphXjv0lk2cpJw', 'iXmWFgpitYEoTF58bgw'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, sYKsZtizk0fr2Sy4WUo.cs High entropy of concatenated method names: 'EAJNcpp9A1', 'v7gNyN30X8', 'RDCNkWKf9X', 'EpkNChcdxJ', 'EZlNLDHTnu', 'eQbNM9UMys', 'a2bNFdlBg9', 'qjaaKlwGtk', 'M4nNEgSngt', 's6yNpMHfrd'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, GWYN2DiH0xQ3ALOrJoa.cs High entropy of concatenated method names: 'Nd3i1rSOOI', 'oDYiViUoOD', 'QwkijRRibS', 'afKi7snml7', 'EEIiZSEG4T', 'TZpi61sjky', 'KrJifRf6dO', 'wsMiqTv3CT', 'awIibCMHfY', 'QhuiOP4jNB'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, OkxkuaxKMBVMMmuopTj.cs High entropy of concatenated method names: 'LTuxyWFlTL', 'L3MxkZxBwh', 'nYXopprTinWuKyJGD0V', 'sB99GRrPpRK8X0yu5MH', 'FGeRf8rofMyGddq93RH', 'erHQ2GrddFUKPNmH0We', 'YdJnnVrw8vNJXHhRkut', 'hojGuUrNw5WWww0KjNg', 'CUBA0xre4HeYa1SZRDO'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, DXyYBL3mZsSmMUfeEFy.cs High entropy of concatenated method names: 'Oge3VFBuiu', 'o5XXD4p6EGTZecNaXJG', 'tXrcV1pfYjquIIqPlfh', 'UAaqlMpqObig1PZTxQD', 'JeyOympb5nrDR8chSxP', 'LwAO3hpOU6qDb0EQa8u', 'OwCo84pzqLwW6gS9fZ6', 'jgxjYSlSEoFTs2sBQqt', 'ffTwQYlUTb1dAfK5dAo', 'CVpTTvp7FPMsYxKVbgX'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, BHg6PxAcI6mpf1nWALj.cs High entropy of concatenated method names: 'UGZAk7NJt7', 'ec5BOMCnGAghYpch012', 'tZZ74NCRXPK6efwB6jI', 'J6cqodCGWq5gA9rnYZS', 'zdyiwUCsffHCejHtRqs', 'nsXsC1CtfkAEU9nTGkR', 'QZV94ICW7IDCBerOHvH', 'Q08egQC2RR6PunERdKs', 'rO0UmGCBt9YKHCHxdyR', 'vogVIUC0nkCK2FUSR2F'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, LB9GA5unRcmMLNPJGTO.cs High entropy of concatenated method names: 'jaDuGghXXm', 'GOcus8rogT', 'dpVutUsSAg', 'drMt1WMRWLSZXBqyRVK', 'TFkunLMGUBmD6Byb0Xk', 'uB8ThjMsBPeAYyxNsYf', 'r7YF4DMI5KBfYtWqImo', 'qvb8ihMnxwbubKb1gVV', 'QForLWMtcr4E2Y7wKXV', 'VbnnfgMW5L2fQfVVZ83'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, jOxrCa3H3OhAD9vtIJb.cs High entropy of concatenated method names: 'mhD3niTQwK', 'ssjwUJpXpHv9l6hnIMQ', 'eccN7YpHYdfJjXHlZXa', 'V8moZ1pIv0ZFdRl6V4i', 'RJRstopn4wxUvOpjhb1', 'Kp5829pRlKFCU143Exr', 'LL44LPprOZ1P8bM4GaV', 't9vA28pgDx4CqIcBw5v'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, lVt4GTxoieg0UMJSuWc.cs High entropy of concatenated method names: 'bcMxe7pqdI', 'Uxyx4QDVvQ', 'BG2YWClGO69XopHluAQ', 'JTjTLXlsXTXQ1bZl2ON', 'yusgLgltN8mSjp9q8bO', 'N1OT4PlnveEQLEtpEcj', 'J7Ld6alRtXBEfhjjKIp', 'Hm4KYhlWCXOBcfbucfU', 'i1QrbAl2njFO56aIoH2', 'KlXKdTlB9CMl94y8cR3'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, XZqr3KxXrV2Z3s67Q8Y.cs High entropy of concatenated method names: 'RVr1xfgJIwAgUI42wed', 'er4HqUg5HHWePabWYMD', 'zKmiiQ2nBh', 'rgWT01gyGvyDn3nbvJ5', 'V9m396gkYRSLx35DVaS', 'xgY84kgC3muncQxnrMy', 'WDywo1gLV77Bx2GomRL', 'dHcBhugMaEL4NdZfQCb', 'lT9bstgFmm0YTKyr6Sj', 'OJNOaXgEm0cCx6BJNGP'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, QHk67g361kvmnXVQR82.cs High entropy of concatenated method names: 'nnf3qifqUM', 'qA6PNtl9drupcEuVviO', 'jEoonwl3XPTp7U1WuQJ', 'L1MPpblx3bB63dRlGKt', 'dZv2UTlhuLabyGeqHhu', 'b2ity8lishrQUxqFFaw', 'DAAE7elvsoDIKALfNxX', 'nUuiJ6lQpJWT9bCijm4'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, yUrrkqupRAsTltVoPyO.cs High entropy of concatenated method names: 'lkwurBP1DJ', 'gmiug7HHJt', 'oLTuXGCqkI', 'KVsuHLBBme', 'ytEuIEG7cs', 'N1KLp0MY9AIVyPeZtUV', 'fJNNRpMu8KgjVbkkHE8', 'FujSZmMApt47u0RTtAL', 'uNFQB2M85Paxqkmq9Ki', 'Vit1NbMvw4GUqEc5WJZ'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, QgF1OWD2EelPT6880Z.cs High entropy of concatenated method names: 'u9xcV7Kch', 'FSEy0Enre', 'aL2C0Uavv', 'NjSkPBCOT', 'Vg9oYYC8Pyk4WJKYxEX', 'GIPXEXCYubl3KLpFAQY', 'GVt5aqCuRYG7uWgCq2S', 'alMqvuCvlfYPdl2UdYO', 'nupN5QCQ1W89mAwBAsV', 'dUwL9NC9CGUgXKNAo1Z'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, kkfKRnx8Lr2EUhJhdgb.cs High entropy of concatenated method names: 'hK0xu1EZXg', 'FTFxvaBvVd', 'Cepx9CfRNv', 'a6EbM7lD720jss2RXpP', 'tDQPhplK6OBSyn99dP2', 'AgjW6MlJcL8lWiK2byX', 'isIdGml5VfXIQc3Xthk', 'z5ptsylcu9nru6FcLtq', 'wF8HbUlyhw6NnWAW9GK'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, tqPNnXvyZl5mgsjm3ri.cs High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'JPgvCn1scf', 'NtProtectVirtualMemory', 'XQM3wrFXsIvNwYQqwOt', 'AgvDU7FHLa2c7V9R2YA', 'OvdjiXFruLhQS6wj9Bh', 'Sp28aFFguwFhJgHRZJM'
Source: 0.2.rliquida____odefaturadepagamento.exe.42c79e0.3.raw.unpack, K22qnTxJ54p1SBQCxBl.cs High entropy of concatenated method names: 'DWnxDKClVf', 'D8AiH5rYHybeB7aUVHw', 'qvfTCWruSA0eYPNeNPi', 'JfqyLcrvoKQEwZaSENu', 'NeC7QrrQVMM0kSMHcGE', 'bEXkiCr9fxcyk4PIW6i', 'hMCGZyr3U8dXM9GiYQ0', 'EruvhfrxXdtt8gu8SYT', 'fDfClPrhk2i3Ro3mHZT', 'NKrSiQriPig8JYS9P4n'
Drops PE files
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe File created: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Koerxmxvkh Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Koerxmxvkh Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: rliquida____odefaturadepagamento.exe PID: 3200, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Koerxmxvkh.exe PID: 1440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Koerxmxvkh.exe PID: 3168, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2044343749.0000000003021000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000003.00000002.2177753295.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Koerxmxvkh.exe, 00000006.00000002.2266200449.0000000003469000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Memory allocated: 2D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Memory allocated: 3020000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Memory allocated: 2D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2480000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2640000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory allocated: 13E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory allocated: 2F70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory allocated: 2E70000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2A20000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2BD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4BD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory allocated: 19A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory allocated: 3400000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory allocated: 3300000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 21D0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2390000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4390000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599782 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599419 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599158 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598963 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598810 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598544 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598434 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596028 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599889 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599778 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599657
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599407
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598813
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595841
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595157
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594813
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594079
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 1937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 7870 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 1635 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 8177 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 1350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 8482
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5004 Thread sleep count: 1937 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -599891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5004 Thread sleep count: 7870 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -599782s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -599657s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -599532s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -599419s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -599312s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -599158s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -598963s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -598810s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -598672s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -598544s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -598434s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -598328s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -598219s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -598094s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -597985s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -597860s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -597735s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -597610s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -597485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -597360s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -597235s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -597110s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -596985s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -596860s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -596735s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -596610s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -596485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -596328s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -596218s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -596028s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -595922s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -595813s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -595703s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -595594s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -595485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -595360s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -595235s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -595110s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -594985s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -594860s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -594735s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -594610s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -594485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -594360s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -594235s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -594110s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -593985s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -593860s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -593735s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428 Thread sleep time: -593578s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -34126476536362649s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6444 Thread sleep count: 1635 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -599889s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6444 Thread sleep count: 8177 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -599778s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -599672s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -599563s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -599063s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -598953s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -598844s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -598719s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -598610s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -598485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -598360s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -598235s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -598110s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -597985s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -597860s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -597735s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -597610s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -597485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -597360s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -597235s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -597110s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -596985s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -596860s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -596735s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -596610s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -596485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -596360s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -596235s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -596110s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -595985s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -595860s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -595735s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -595610s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -595485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -595360s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -595235s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -595110s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -594985s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -594860s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -594735s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -594610s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -594485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -594360s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -594235s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -594094s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4476 Thread sleep time: -593969s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5308 Thread sleep count: 1350 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -599891s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5308 Thread sleep count: 8482 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep count: 35 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -599766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -599657s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -599532s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -599407s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -599297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -599188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -599063s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -598938s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -598813s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -598688s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -598579s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -598454s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -598329s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -598204s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -598079s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -597954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -597829s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -597704s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -597579s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -597454s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -597329s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -597204s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -597079s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -596954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -596829s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -596704s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -596579s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -596454s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -596329s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -596204s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -596079s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -595954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -595841s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -595719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -595609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -595500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -595391s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -595282s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -595157s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -595047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -594938s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -594813s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -594688s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -594563s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -594438s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -594329s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -594204s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1200 Thread sleep time: -594079s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599782 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599419 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599158 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598963 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598810 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598544 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598434 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596028 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599889 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599778 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599657
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599407
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598813
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595841
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595157
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594813
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594079
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2062593680.0000000005690000.00000004.08000000.00040000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.000000000429E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: qgq9DW4BxccO5hGFSVY
Source: Koerxmxvkh.exe, 00000006.00000002.2266200449.0000000003469000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: Koerxmxvkh.exe, 00000006.00000002.2266200449.0000000003469000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: rliquida____odefaturadepagamento.exe, 00000000.00000002.2062593680.0000000005690000.00000004.08000000.00040000.00000000.sdmp, rliquida____odefaturadepagamento.exe, 00000000.00000002.2060230016.000000000429E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: lZL6iqEmuJH4919sTrt
Source: InstallUtil.exe, 00000004.00000002.2551692207.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: InstallUtil.exe, 00000002.00000002.2355582772.00000000007B9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2545853268.0000000000669000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 700000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 150000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 700000 Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 702000 Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 722000 Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 724000 Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 48F008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 424000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: A6B008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 150000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 152000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 172000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 174000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 2F2008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Queries volume information: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Queries volume information: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Queries volume information: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Koerxmxvkh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\rliquida____odefaturadepagamento.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rliquida____odefaturadepagamento.exe.41da780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Koerxmxvkh.exe.41e8a00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Koerxmxvkh.exe.41e8a00.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2195287029.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2177753295.0000000003366000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2266200449.0000000003786000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2355015844.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2195287029.0000000004024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2060230016.000000000429E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2290932961.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2555666774.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2044343749.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2357847009.0000000002641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2548344456.0000000002391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rliquida____odefaturadepagamento.exe PID: 3200, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 2448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Koerxmxvkh.exe PID: 1440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Koerxmxvkh.exe PID: 3168, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5028, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rliquida____odefaturadepagamento.exe.41da780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Koerxmxvkh.exe.41e8a00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Koerxmxvkh.exe.41e8a00.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2195287029.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2177753295.0000000003366000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2266200449.0000000003786000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2355015844.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2195287029.0000000004024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2060230016.000000000429E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2290932961.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2044343749.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rliquida____odefaturadepagamento.exe PID: 3200, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 2448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Koerxmxvkh.exe PID: 1440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Koerxmxvkh.exe PID: 3168, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rliquida____odefaturadepagamento.exe.41da780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Koerxmxvkh.exe.41e8a00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rliquida____odefaturadepagamento.exe.42209c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Koerxmxvkh.exe.41e8a00.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2195287029.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2177753295.0000000003366000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2266200449.0000000003786000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2355015844.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2195287029.0000000004024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2060230016.000000000429E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2290932961.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2060230016.00000000041DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2555666774.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2044343749.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2357847009.0000000002641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2548344456.0000000002391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rliquida____odefaturadepagamento.exe PID: 3200, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 2448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Koerxmxvkh.exe PID: 1440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Koerxmxvkh.exe PID: 3168, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5028, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529044 Sample: rliquida____odefaturadepaga... Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 50 reallyfreegeoip.org 2->50 52 checkip.dyndns.org 2->52 54 checkip.dyndns.com 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 64 8 other signatures 2->64 9 rliquida____odefaturadepagamento.exe 1 4 2->9         started        13 Koerxmxvkh.exe 2 2->13         started        15 Koerxmxvkh.exe 2 2->15         started        signatures3 62 Tries to detect the country of the analysis system (by using the IP) 50->62 process4 file5 42 C:\Users\user\AppData\...\Koerxmxvkh.exe, PE32 9->42 dropped 44 C:\Users\...\Koerxmxvkh.exe:Zone.Identifier, ASCII 9->44 dropped 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->66 68 Writes to foreign memory regions 9->68 70 Injects a PE file into a foreign processes 9->70 17 InstallUtil.exe 15 4 9->17         started        72 Multi AV Scanner detection for dropped file 13->72 74 Machine Learning detection for dropped file 13->74 20 InstallUtil.exe 3 13->20         started        22 InstallUtil.exe 15->22         started        signatures6 process7 dnsIp8 46 reallyfreegeoip.org 188.114.96.3, 443, 49705, 49706 CLOUDFLARENETUS European Union 17->46 48 checkip.dyndns.com 132.226.8.169, 49704, 49707, 49709 UTMEMUS United States 17->48 24 cmd.exe 17->24         started        26 cmd.exe 20->26         started        28 cmd.exe 22->28         started        process9 process10 30 conhost.exe 24->30         started        32 choice.exe 24->32         started        34 conhost.exe 26->34         started        36 choice.exe 26->36         started        38 conhost.exe 28->38         started        40 choice.exe 28->40         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 checkip.dyndns.com United States
16989 UTMEMUS false
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.96.3 true
checkip.dyndns.com 132.226.8.169 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • URL Reputation: safe
 unknown