Loading ...

Play interactive tourEdit tour

Windows Analysis Report Nb2HQZZDIf

Overview

General Information

Sample Name:Nb2HQZZDIf (renamed file extension from none to exe)
Analysis ID:452456
MD5:b8371590264db62ecbba4b7f481a21a8
SHA1:837bfd10d70113330b2e00a1f12e99c4b0065d38
SHA256:fa3e22734ccb01da24364b65793ca5d2fafc53fbe6cef3eab8d76b158d1e0d7a
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code contains very large strings
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to a URL shortener service
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Nb2HQZZDIf.exe (PID: 5924 cmdline: 'C:\Users\user\Desktop\Nb2HQZZDIf.exe' MD5: B8371590264DB62ECBBA4B7F481A21A8)
    • 1234.exe (PID: 4628 cmdline: C:\Users\user\AppData\Roaming\1234.exe 1234 MD5: 523AC177BFB4FB64A20B60FC0CE3E0E3)
      • 1234.exe (PID: 808 cmdline: {path} MD5: 523AC177BFB4FB64A20B60FC0CE3E0E3)
      • 1234.exe (PID: 2524 cmdline: {path} MD5: 523AC177BFB4FB64A20B60FC0CE3E0E3)
        • srvs.exe (PID: 5088 cmdline: 'C:\Users\user\AppData\Local\Temp\srvs.exe' MD5: D11C21AB3E969F79E3C783FDD97E1C10)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["yspasenana.xyz:80"], "Bot Id": "world"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000015.00000003.382545912.0000000000D10000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmpJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
            00000002.00000002.306824778.00000000042C0000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 8 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.1234.exe.43e5a60.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                15.2.1234.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  2.2.1234.exe.43e5a60.3.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    21.2.srvs.exe.df0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.2.1234.exe.43e5a60.3.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["yspasenana.xyz:80"], "Bot Id": "world"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeMetadefender: Detection: 17%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeReversingLabs: Detection: 35%
                      Source: C:\Users\user\AppData\Roaming\1234.exeReversingLabs: Detection: 33%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Nb2HQZZDIf.exeVirustotal: Detection: 22%Perma Link
                      Source: Nb2HQZZDIf.exeReversingLabs: Detection: 25%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\srvs.exeJoe Sandbox ML: detected
                      Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.3:49714 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.25.233.53:443 -> 192.168.2.3:49715 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49716 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.216.94.27:443 -> 192.168.2.3:49717 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49746 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.217.80.20:443 -> 192.168.2.3:49747 version: TLS 1.2
                      Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: srvs.exe, 00000015.00000002.480413638.0000000001182000.00000040.00020000.sdmp
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140087A90 GetFileAttributesW,FindFirstFileW,FindClose,0_2_0000000140087A90
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140087B90 FindFirstFileW,FindClose,FindFirstFileW,FindClose,0_2_0000000140087B90
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D080 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D080
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140062320 GetFileAttributesW,FindFirstFileW,FindClose,0_2_0000000140062320
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400C2390 FindFirstFileW,0_2_00000001400C2390
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D405 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D405
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D40F SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D40F
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D419 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D419
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D423 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D423
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D44D SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D44D
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D478 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D478
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D4A0 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D4A0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D4BE SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D4BE
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D4DF SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D4DF
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D500 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D500
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D792 FindFirstFileW,GetLastError,0_2_000000014004D792
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D7E0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,0_2_000000014004D7E0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004D990 SystemTimeToFileTime,LocalFileTimeToFileTime,GetLastError,GetSystemTimeAsFileTime,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,CreateFileW,GetLastError,SetFileTime,GetLastError,CloseHandle,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,0_2_000000014004D990
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140061A30 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,CopyFileW,GetLastError,FindNextFileW,FindClose,0_2_0000000140061A30
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004CAE0 SetLastError,DeleteFileW,GetLastError,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,DeleteFileW,GetLastError,FindNextFileW,FindClose,0_2_000000014004CAE0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140032DC0 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0000000140032DC0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004DFA0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,0_2_000000014004DFA0

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeDNS query: name: iplogger.org
                      Performs DNS queries to domains with low reputationShow sources
                      Source: C:\Users\user\AppData\Roaming\1234.exeDNS query: yspasenana.xyz
                      Source: C:\Users\user\AppData\Roaming\1234.exeDNS query: yspasenana.xyz
                      Source: C:\Users\user\AppData\Roaming\1234.exeDNS query: yspasenana.xyz
                      Source: C:\Users\user\AppData\Roaming\1234.exeDNS query: yspasenana.xyz
                      Uses known network protocols on non-standard portsShow sources
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 32800
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49751
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49751
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 32800
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 32800
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49754
                      Source: unknownNetwork traffic detected: HTTP traffic on port 32800 -> 49754
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeDNS query: name: is.gd
                      Source: global trafficTCP traffic: 192.168.2.3:49751 -> 5.149.255.203:32800
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: yspasenana.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: yspasenana.xyzContent-Length: 1151249Expect: 100-continueAccept-Encoding: gzip, deflate
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: yspasenana.xyzContent-Length: 1151241Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: yspasenana.xyzContent-Length: 1151267Expect: 100-continueAccept-Encoding: gzip, deflate
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 5.149.255.203:32800Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 5.149.255.203:32800Content-Length: 1151929Expect: 100-continueAccept-Encoding: gzip, deflate
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 5.149.255.203:32800Content-Length: 1151921Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 104.25.233.53 104.25.233.53
                      Source: Joe Sandbox ViewIP Address: 104.192.141.1 104.192.141.1
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.149.255.203
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140060290 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetOpenUrlW,FreeLibrary,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,FreeLibrary,DeleteFileW,FreeLibrary,0_2_0000000140060290
                      Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                      Source: unknownDNS traffic detected: queries for: iplogger.org
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: yspasenana.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                      Source: srvs.exe, 00000015.00000002.484619436.000000000397A000.00000004.00000001.sdmpString found in binary or memory: http://5.149.255.203:3
                      Source: srvs.exe, 00000015.00000002.484570685.0000000003975000.00000004.00000001.sdmpString found in binary or memory: http://5.149.255.203:32800
                      Source: srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://5.149.255.203:32800/
                      Source: srvs.exe, 00000015.00000002.484570685.0000000003975000.00000004.00000001.sdmpString found in binary or memory: http://5.149.255.203:328004
                      Source: Nb2HQZZDIf.exe, Nb2HQZZDIf.exe, 00000000.00000002.308759798.00000001400DD000.00000040.00020000.sdmpString found in binary or memory: http://ahkscript.org
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.308759798.00000001400DD000.00000040.00020000.sdmpString found in binary or memory: http://ahkscript.orgCould
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://bbuseruploads.s3.amazonaws.com
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://bitbucket.org
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.385284106.0000000002B0B000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: Nb2HQZZDIf.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, Nb2HQZZDIf.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.385284106.0000000002B0B000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
                      Source: 1234.exe, 0000000F.00000002.385284106.0000000002B0B000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCert
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0K
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
                      Source: Nb2HQZZDIf.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.306921781.0000000000968000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, Nb2HQZZDIf.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                      Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                      Source: 1234.exe, 0000000F.00000003.359594805.0000000008A81000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000003.382117254.0000000008A92000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
                      Source: 1234.exe, 0000000F.00000003.359594805.0000000008A81000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000003.382117254.0000000008A92000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                      Source: 1234.exe, 0000000F.00000003.359594805.0000000008A81000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000003.382117254.0000000008A92000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.385284106.0000000002B0B000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0K
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0R
                      Source: Nb2HQZZDIf.exeString found in binary or memory: http://ocsp.sectigo.com0
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://s3-w.us-east-1.amazonaws.com
                      Source: 1234.exe, 0000000F.00000002.385785787.0000000002B7B000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484424033.00000000038B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: 1234.exe, 0000000F.00000002.385200656.0000000002AE6000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                      Source: srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                      Source: srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/0
                      Source: 1234.exe, 0000000F.00000002.385167858.0000000002ADC000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsti
                      Source: srvs.exe, 00000015.00000002.484570685.0000000003975000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                      Source: 1234.exe, 0000000F.00000002.386418247.0000000002C65000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484619436.000000000397A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
                      Source: srvs.exe, 00000015.00000002.484619436.000000000397A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                      Source: 1234.exe, 0000000F.00000002.386246795.0000000002C39000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp, 1234.exe, 00000002.00000003.226713519.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: 1234.exe, 00000002.00000003.218810935.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: 1234.exe, 00000002.00000003.220817436.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html8
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: 1234.exe, 00000002.00000003.220716049.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlyv
                      Source: 1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmp, 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp, 1234.exe, 00000002.00000003.219879289.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: 1234.exe, 00000002.00000003.218854259.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/v-s
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: 1234.exe, 00000002.00000003.218854259.0000000006011000.00000004.00000001.sdmp, 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: 1234.exe, 00000002.00000003.218854259.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
                      Source: 1234.exe, 00000002.00000003.221158654.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
                      Source: 1234.exe, 00000002.00000003.219078395.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
                      Source: 1234.exe, 00000002.00000003.219461418.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
                      Source: 1234.exe, 00000002.00000003.219508500.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                      Source: 1234.exe, 00000002.00000003.220606804.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: 1234.exe, 00000002.00000003.226824512.000000000600E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: 1234.exe, 00000002.00000003.220932014.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                      Source: 1234.exe, 00000002.00000003.221286981.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsF
                      Source: 1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comap
                      Source: 1234.exe, 00000002.00000003.221615342.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
                      Source: 1234.exe, 00000002.00000003.220606804.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
                      Source: 1234.exe, 00000002.00000003.220932014.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: 1234.exe, 00000002.00000003.220606804.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdTF
                      Source: 1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdsed
                      Source: 1234.exe, 00000002.00000003.226824512.000000000600E000.00000004.00000001.sdmp, 1234.exe, 00000002.00000003.226658468.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                      Source: 1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                      Source: 1234.exe, 00000002.00000003.219345969.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comica
                      Source: 1234.exe, 00000002.00000003.220932014.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitum
                      Source: 1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comk:
                      Source: 1234.exe, 00000002.00000003.226824512.000000000600E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como:
                      Source: 1234.exe, 00000002.00000003.218854259.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiv
                      Source: 1234.exe, 00000002.00000003.219078395.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
                      Source: 1234.exe, 00000002.00000003.220606804.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueto3
                      Source: 1234.exe, 00000002.00000003.218854259.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comy
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: 1234.exe, 00000002.00000003.223065732.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: 1234.exe, 00000002.00000003.223065732.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/:
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                      Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: 1234.exe, 00000002.00000003.216761673.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-
                      Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/3
                      Source: 1234.exe, 00000002.00000003.216141867.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:
                      Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;
                      Source: 1234.exe, 00000002.00000003.216400129.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
                      Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                      Source: 1234.exe, 00000002.00000003.216270942.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/b
                      Source: 1234.exe, 00000002.00000003.216029142.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/cros
                      Source: 1234.exe, 00000002.00000003.216270942.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/crosU
                      Source: 1234.exe, 00000002.00000003.216218362.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
                      Source: 1234.exe, 00000002.00000003.216857497.0000000006011000.00000004.00000001.sdmp, 1234.exe, 00000002.00000003.216761673.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
                      Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/U
                      Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/b
                      Source: 1234.exe, 00000002.00000003.216761673.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/p
                      Source: 1234.exe, 00000002.00000003.216029142.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
                      Source: 1234.exe, 00000002.00000003.216029142.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/rz
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: 1234.exe, 00000002.00000003.218706456.0000000005FEE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: 1234.exe, 00000002.00000003.218706456.0000000005FEE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de2(
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: 1234.exe, 00000002.00000003.221264276.0000000005FEE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dea(
                      Source: 1234.exe, 00000002.00000003.221264276.0000000005FEE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dera
                      Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: 1234.exe, 00000002.00000003.215590431.0000000006011000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cntS
                      Source: 1234.exe, 0000000F.00000002.385785787.0000000002B7B000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz
                      Source: 1234.exe, 0000000F.00000002.386246795.0000000002C39000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz(h
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz/
                      Source: 1234.exe, 0000000F.00000002.386040704.0000000002BF7000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz4
                      Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://yspasenana.xyz:80/
                      Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: 1234.exe, 0000000F.00000002.385200656.0000000002AE6000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb
                      Source: 1234.exe, srvs.exe, 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/geoip
                      Source: 1234.exe, 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp, srvs.exe, srvs.exe, 00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                      Source: srvs.exe, 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sbx
                      Source: 1234.exeString found in binary or memory: https://api.ipify.org
                      Source: srvs.exeString found in binary or memory: https://api.ipify.orgcookies//setti
                      Source: 1234.exe, 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp, srvs.exe, 00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307504905.0000000002D90000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.385633709.0000000002B1F000.00000004.00000001.sdmpString found in binary or memory: https://aui-cdn.atlassian.com
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com
                      Source: Nb2HQZZDIf.exeString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/b~
                      Source: 1234.exe, 0000000F.00000002.385267737.0000000002B04000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/c6138a8d-6b23-4fcf-ac63-5ded44dfc386/downloads/74c745b8-de86-
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/c6138a8d-6b23-4fcf-ac63-5ded44dfc386/downloads/80e8feaa-7504-
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com4
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/1234.exe
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/1234.exel:%
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/1234.exeu
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.385200656.0000000002AE6000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/6.exe
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org4
                      Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: 1234.exe, 0000000F.00000002.385633709.0000000002B1F000.00000004.00000001.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
                      Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                      Source: 1234.exe, 1234.exe, 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp, srvs.exe, srvs.exe, 00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                      Source: Nb2HQZZDIf.exeString found in binary or memory: https://iplogger.org/
                      Source: Nb2HQZZDIf.exe, Nb2HQZZDIf.exe, 00000000.00000002.308831972.0000000140141000.00000040.00020000.sdmpString found in binary or memory: https://iplogger.org/1Bwjj7
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305082174.00000000008E8000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1Bwjj7%A_AppData%
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/
                      Source: Nb2HQZZDIf.exe, Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp, Nb2HQZZDIf.exe, 00000000.00000002.308831972.0000000140141000.00000040.00020000.sdmpString found in binary or memory: https://is.gd/dg3E5g
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305082174.00000000008E8000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/dg3E5g%A_AppData%
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/dg3E5g7
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/dg3E5gA63
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/dg3E5gC
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/dg3E5gS6%
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/dg3E5g_6
                      Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.385654345.0000000002B23000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484424033.00000000038B1000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484402616.00000000038AD000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.306921781.0000000000968000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: Nb2HQZZDIf.exeString found in binary or memory: https://sectigo.com/CPS0C
                      Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, Nb2HQZZDIf.exeString found in binary or memory: https://sectigo.com/CPS0D
                      Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                      Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                      Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                      Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                      Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307504905.0000000002D90000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.385633709.0000000002B1F000.00000004.00000001.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
                      Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                      Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.3:49714 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.25.233.53:443 -> 192.168.2.3:49715 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49716 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.216.94.27:443 -> 192.168.2.3:49717 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49746 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.217.80.20:443 -> 192.168.2.3:49747 version: TLS 1.2
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400053A0 GetTickCount,OpenClipboard,GetTickCount,OpenClipboard,0_2_00000001400053A0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140005280 GetClipboardFormatNameW,GetClipboardData,0_2_0000000140005280
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140042E80 GetSystemMetrics,GetSystemMetrics,GetDC,DestroyCursor,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,0_2_0000000140042E80
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140011052 GetKeyboardState,0_2_0000000140011052
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_00000001400018BA GlobalUnWire,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,GetKeyState,GetKeyState,GetKeyState,IsDlgButtonChecked,IsDlgButtonChecked,PostMessageW,IsDlgButtonChecked,IsDlgButtonChecked,IsDialogMessageW,GetTickCount,KillTimer,ShowWindow,GetTickCount,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,SetCurrentDirectoryW,ShowWindow,DragQueryFileW,DragFinish,DragFinish,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CountClipboardFormats,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsDlgButtonChecked,ScreenToClient,IsDlgButtonChecked,IsDlgButtonChecked,GetWindowRect,MulDiv,MulDiv,GetWindowRect,GetWindowRect,GetWindowLongW,SetWindowLongW,MulDiv,MulDiv,IsDlgButtonChecked,ShowWindow,DragFinish,GetWindowLongW,SetWindowLongW,0_2_00000001400018BA

                      System Summary:

                      barindex
                      .NET source code contains very large stringsShow sources
                      Source: 1234.exe.0.dr, uNotepad/CollectionToSort.csLong String: Length: 32771
                      Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
                      Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
                      Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
                      Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
                      PE file contains section with special charsShow sources
                      Source: srvs.exe.15.drStatic PE information: section name:
                      Source: srvs.exe.15.drStatic PE information: section name:
                      Source: srvs.exe.15.drStatic PE information: section name:
                      Sample or dropped binary is a compiled AutoHotkey binaryShow sources
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeWindow found: window name: AutoHotkeyJump to behavior
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140043AD0 RegisterClipboardFormatW,MoveWindow,GetSysColor,SetBkColor,SetTextColor,GetSysColorBrush,CreateCompatibleDC,SelectObject,BitBlt,SelectObject,DeleteDC,DrawIconEx,ExcludeClipRect,CreateRectRgn,GetClipRgn,GetSysColorBrush,FillRgn,DeleteObject,GetClipBox,FillRect,GetClientRect,MoveWindow,MoveWindow,MoveWindow,InvalidateRect,ShowWindow,GetMenu,CheckMenuItem,NtdllDefWindowProc_W,SendMessageTimeoutW,PostMessageW,PostMessageW,SendMessageTimeoutW,0_2_0000000140043AD0
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_000000014004438A NtdllDefWindowProc_W,PostMessageW,0_2_000000014004438A
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140043BF6 NtdllDefWindowProc_W,0_2_0000000140043BF6
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140043C50 NtdllDefWindowProc_W,0_2_0000000140043C50
                      Source: C:\Users\user\Desktop\Nb2HQZZDIf.exeCode function: 0_2_0000000140043C8B SetFocus,Nt