Loading ...

Play interactive tourEdit tour

Windows Analysis Report 256kV5Hnku

Overview

General Information

Sample Name:256kV5Hnku (renamed file extension from none to exe)
Analysis ID:483793
MD5:147b3826ae80fdde64f704e44c2fdd5d
SHA1:8087bd050b3703759b07fe1aa33573e3cf46cefb
SHA256:f7172db0993821ce20cddeb9a81d839a694a1578be45ec1e2cf47aa260ded6e0
Tags:32exeRedLineStealertrojan
Infos:

Most interesting Screenshot:

Detection

RedLine
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • 256kV5Hnku.exe (PID: 6256 cmdline: 'C:\Users\user\Desktop\256kV5Hnku.exe' MD5: 147B3826AE80FDDE64F704E44C2FDD5D)
    • conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.215.113.29:18087"], "Bot Id": "SewPalpadin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.228501731.00000000022CC000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000000.00000002.321387823.0000000004040000.00000004.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.321238803.0000000003EBC000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.324095160.0000000006C00000.00000004.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.323293209.00000000051E5000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.256kV5Hnku.exe.3efd896.3.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.256kV5Hnku.exe.6c00000.6.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.256kV5Hnku.exe.4040ee8.5.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.256kV5Hnku.exe.3efd896.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.256kV5Hnku.exe.6c00000.6.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 7 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.256kV5Hnku.exe.4040ee8.5.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["185.215.113.29:18087"], "Bot Id": "SewPalpadin"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 256kV5Hnku.exeVirustotal: Detection: 38%Perma Link
                      Source: 256kV5Hnku.exeReversingLabs: Detection: 60%

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeUnpacked PE file: 0.2.256kV5Hnku.exe.400000.0.unpack
                      Source: 256kV5Hnku.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: Binary string: 3C:\tabu\zey71_melomucetixula\higujoriy62-jacovagucef_riril.pdb$ source: 256kV5Hnku.exe
                      Source: Binary string: C:\tabu\zey71_melomucetixula\higujoriy62-jacovagucef_riril.pdb source: 256kV5Hnku.exe
                      Source: Binary string: _.pdb source: 256kV5Hnku.exe, 00000000.00000002.321387823.0000000004040000.00000004.00020000.sdmp
                      Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                      Source: Joe Sandbox ViewIP Address: 185.215.113.29 185.215.113.29
                      Source: Joe Sandbox ViewIP Address: 185.215.113.29 185.215.113.29
                      Source: global trafficTCP traffic: 192.168.2.3:49745 -> 185.215.113.29:18087
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.29
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: m9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/AckRequested
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/CloseSequence
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/CloseSequenceResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequence
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequenceResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/SequenceAcknowledgement
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/TerminateSequence
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/TerminateSequenceResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/fault
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1$
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512#BinarySecret
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/AsymmetricKey
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT/Cancel
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT/Renew
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Renew
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT/Cancel
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT/Renew
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Aborted
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Commit
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Committed
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Completion
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Durable2PC
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Prepare
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Prepared
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/ReadOnly
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Replay
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Rollback
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Volatile2PC
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/fault
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06/CreateCoordinationContext
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06/CreateCoordinationContextResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06/Register
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06/RegisterResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06/fault
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessageD
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessagePale
                      Source: 256kV5Hnku.exe, 00000000.00000002.322513585.0000000004499000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessagel
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmp, 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity$
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/Confirm
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/ConfirmResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmp, 256kV5Hnku.exe, 00000000.00000002.322342531.0000000004451000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmp, 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/Init
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/InitDisplay
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/InitDisplayResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/InitResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartBrowsers
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartBrowsersResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartColdWallets
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartColdWalletsResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartDefenders
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartDefendersResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartDiscord
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartDiscordResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartFtpConnections
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartFtpConnectionsResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartHardwares
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartHardwaresResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartInstalledBrowsers
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartInstalledBrowsersResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartInstalledSoftwares
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmp, 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartInstalledSoftwaresResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartLanguages
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartLanguagesResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartNordVPN
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartNordVPNResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartOpenVPN
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartOpenVPNResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmp, 256kV5Hnku.exe, 00000000.00000002.322342531.0000000004451000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartProcesses
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartProcessesResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartProtonVPN
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartProtonVPNResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartScannedFiles
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartScannedFilesResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartSteamFiles
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartSteamFilesResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartTelegramFiles
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartTelegramFilesResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                      Source: 256kV5Hnku.exe, 00000000.00000002.321644673.00000000041E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                      Source: 256kV5Hnku.exe, 00000000.00000002.322664179.00000000044FF000.00000004.00000001.sdmp, tmp7CE3.tmp.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb
                      Source: 256kV5Hnku.exe, 00000000.00000002.321805041.0000000004273000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/geoip
                      Source: 256kV5Hnku.exe, 00000000.00000002.321387823.0000000004040000.00000004.00020000.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                      Source: 256kV5Hnku.exe, 00000000.00000002.322664179.00000000044FF000.00000004.00000001.sdmp, tmp7CE3.tmp.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: 256kV5Hnku.exe, 00000000.00000002.322664179.00000000044FF000.00000004.00000001.sdmp, tmp7CE3.tmp.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: 256kV5Hnku.exe, 00000000.00000002.322664179.00000000044FF000.00000004.00000001.sdmp, tmp7CE3.tmp.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: 256kV5Hnku.exe, 00000000.00000002.322664179.00000000044FF000.00000004.00000001.sdmp, tmp7CE3.tmp.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                      Source: 256kV5Hnku.exe, 00000000.00000002.322664179.00000000044FF000.00000004.00000001.sdmp, tmp7CE3.tmp.0.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: 256kV5Hnku.exe, 00000000.00000002.322664179.00000000044FF000.00000004.00000001.sdmp, tmp7CE3.tmp.0.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                      Source: 256kV5Hnku.exe, 00000000.00000002.322979458.000000000465C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                      Source: 256kV5Hnku.exe, 00000000.00000002.322664179.00000000044FF000.00000004.00000001.sdmp, tmp7CE3.tmp.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: unknownDNS traffic detected: queries for: api.ip.sb
                      Source: 256kV5Hnku.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_00408C600_2_00408C60
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_0040DC110_2_0040DC11
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_00407C3F0_2_00407C3F
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_00418CCC0_2_00418CCC
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_00406CA00_2_00406CA0
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_004028B00_2_004028B0
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_0041A4BE0_2_0041A4BE
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_004182440_2_00418244
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_004016500_2_00401650
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_00402F200_2_00402F20
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_004193C40_2_004193C4
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_004187880_2_00418788
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_00402F890_2_00402F89
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_00402B900_2_00402B90
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_004073A00_2_004073A0
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: String function: 0040E1D8 appears 44 times
                      Source: 256kV5Hnku.exe, 00000000.00000003.228123195.0000000003DC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameForwarns.exe4 vs 256kV5Hnku.exe
                      Source: 256kV5Hnku.exe, 00000000.00000002.322256080.000000000440D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs 256kV5Hnku.exe
                      Source: 256kV5Hnku.exe, 00000000.00000002.322256080.000000000440D000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs 256kV5Hnku.exe
                      Source: 256kV5Hnku.exe, 00000000.00000002.322256080.000000000440D000.00000004.00000001.sdmpBinary or memory string: m,\\StringFileInfo\\040904B0\\OriginalFilename vs 256kV5Hnku.exe
                      Source: 256kV5Hnku.exe, 00000000.00000002.322256080.000000000440D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs 256kV5Hnku.exe
                      Source: 256kV5Hnku.exe, 00000000.00000002.322256080.000000000440D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs 256kV5Hnku.exe
                      Source: 256kV5Hnku.exe, 00000000.00000002.321387823.0000000004040000.00000004.00020000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 256kV5Hnku.exe
                      Source: 256kV5Hnku.exeStatic PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
                      Source: 256kV5Hnku.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 256kV5Hnku.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 256kV5Hnku.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 256kV5Hnku.exeVirustotal: Detection: 38%
                      Source: 256kV5Hnku.exeReversingLabs: Detection: 60%
                      Source: 256kV5Hnku.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\256kV5Hnku.exe 'C:\Users\user\Desktop\256kV5Hnku.exe'
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4165.tmpJump to behavior
                      Source: classification engineClassification label: mal84.troj.spyw.evad.winEXE@2/21@2/1
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_01
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCommand line argument: 08A0_2_00413780
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: 256kV5Hnku.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: 3C:\tabu\zey71_melomucetixula\higujoriy62-jacovagucef_riril.pdb$ source: 256kV5Hnku.exe
                      Source: Binary string: C:\tabu\zey71_melomucetixula\higujoriy62-jacovagucef_riril.pdb source: 256kV5Hnku.exe
                      Source: Binary string: _.pdb source: 256kV5Hnku.exe, 00000000.00000002.321387823.0000000004040000.00000004.00020000.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeUnpacked PE file: 0.2.256kV5Hnku.exe.400000.0.unpack
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_0041C40C push cs; iretd 0_2_0041C4E2
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_00423149 push eax; ret 0_2_00423179
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_0041C50E push cs; iretd 0_2_0041C4E2
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_004231C8 push eax; ret 0_2_00423179
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_0040E21D push ecx; ret 0_2_0040E230
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_0041C6BE push ebx; ret 0_2_0041C6BF
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.79570151494
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Source: C:\Users\user\Desktop\256kV5Hnku.exe TID: 5436Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exe TID: 5224Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exe TID: 6420Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeWindow / User API: threadDelayed 1094Jump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeWindow / User API: threadDelayed 3126Jump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\256kV5Hnku.exeThread delayed: delay time: 922337203685477Jump to behavior