Loading ...

Play interactive tourEdit tour

Windows Analysis Report o4XzTr73Ut.exe

Overview

General Information

Sample Name:o4XzTr73Ut.exe
Analysis ID:542642
MD5:f65536b785611d1b549e8d866fc898ee
SHA1:ac5d59453273ad0b026d1cd244c422cc020b94b0
SHA256:a319ca95679f9e8a30001a66ec55403a08be8c7398916746baea02c6c6539d02
Tags:exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Hides threads from debuggers
Tries to steal Crypto Currency Wallets
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • o4XzTr73Ut.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\o4XzTr73Ut.exe" MD5: F65536B785611D1B549E8D866FC898EE)
    • o4XzTr73Ut.exe (PID: 6324 cmdline: "C:\Users\user\Desktop\o4XzTr73Ut.exe" MD5: F65536B785611D1B549E8D866FC898EE)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "194.26.229.202:18758", "Bot Id": "private_4"}

Threatname: GuLoader

{"Payload URL": "http://185.112.83.8/SoftwareCleanedPhilosf.bin"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000C.00000000.841548004.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      0000000C.00000002.1061972250.0000000020640000.00000004.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.843188696.00000000028A0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            0000000C.00000002.1060215267.000000001E3E0000.00000004.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 4 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              12.2.o4XzTr73Ut.exe.1e3e0000.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                12.3.o4XzTr73Ut.exe.89add8.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  12.2.o4XzTr73Ut.exe.1e170f6e.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    12.2.o4XzTr73Ut.exe.1e170086.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      12.2.o4XzTr73Ut.exe.1e170f6e.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        Click to see the 7 entries

                        Sigma Overview

                        No Sigma rule has matched

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Found malware configurationShow sources
                        Source: 0000000C.00000000.841548004.0000000000560000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://185.112.83.8/SoftwareCleanedPhilosf.bin"}
                        Source: 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmpMalware Configuration Extractor: RedLine {"C2 url": "194.26.229.202:18758", "Bot Id": "private_4"}
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: o4XzTr73Ut.exeVirustotal: Detection: 7%Perma Link
                        Source: o4XzTr73Ut.exeReversingLabs: Detection: 23%
                        Source: o4XzTr73Ut.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                        Source: o4XzTr73Ut.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: _.pdb source: o4XzTr73Ut.exe, 0000000C.00000003.1004258087.000000000089A000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060215267.000000001E3E0000.00000004.00020000.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060066764.000000001E130000.00000004.00000001.sdmp
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_00406873 FindFirstFileW,FindClose,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_0040290B FindFirstFileW,

                        Networking:

                        barindex
                        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                        Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.4:49806 -> 185.112.83.8:80
                        C2 URLs / IPs found in malware configurationShow sources
                        Source: Malware configuration extractorURLs: http://185.112.83.8/SoftwareCleanedPhilosf.bin
                        Source: Joe Sandbox ViewASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
                        Source: Joe Sandbox ViewASN Name: HEANETIE HEANETIE
                        Source: Joe Sandbox ViewIP Address: 185.112.83.8 185.112.83.8
                        Source: global trafficHTTP traffic detected: GET /SoftwareCleanedPhilosf.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 185.112.83.8Cache-Control: no-cache
                        Source: global trafficTCP traffic: 192.168.2.4:49809 -> 194.26.229.202:18758
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.112.83.8
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: k9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1056932112.00000000022B0000.00000004.00000001.sdmpString found in binary or memory: http://185.112.83.8/SoftwareCleanedPhilosf.bin
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://ocsp.digicert.com0C
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://ocsp.digicert.com0O
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultl
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm4
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060319888.000000001E5D1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: o4XzTr73Ut.exeString found in binary or memory: http://www.digicert.com/CPS0
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061254455.000000001EACA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061972250.0000000020640000.00000004.00020000.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1004258087.000000000089A000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060215267.000000001E3E0000.00000004.00020000.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060066764.000000001E130000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061254455.000000001EACA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061254455.000000001EACA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061254455.000000001EACA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061254455.000000001EACA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061244305.000000001EAC7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061244305.000000001EAC7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                        Source: o4XzTr73Ut.exeString found in binary or memory: https://www.digicert.com/CPS0
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060968348.000000001E95B000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060771307.000000001E88D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061244305.000000001EAC7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061518015.000000001F6FA000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060591933.000000001E7CB000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060446492.000000001E707000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060874834.000000001E913000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061425020.000000001F689000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054172659.000000001F7BE000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054244376.000000001F82F000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060925849.000000001E944000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060486327.000000001E71D000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060365448.000000001E663000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060643656.000000001E7E1000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000003.1054346219.000000001F8A0000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061125215.000000001EA1C000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1061081457.000000001EA06000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: global trafficHTTP traffic detected: GET /SoftwareCleanedPhilosf.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 185.112.83.8Cache-Control: no-cache
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,
                        Source: o4XzTr73Ut.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_0040755C
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_00406D85
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_72891BFF
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A90CF
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A7CF3
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AB13E
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AA69C
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AA6B5
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A9627
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A6230
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AA647
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A9F92
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A7FD0
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A6BD0
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A63E0
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A8F10
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A9F10
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AA35F
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A1F6C
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A208B
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A9CA0
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A8003
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A685E
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A5078
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A85A9
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AA1CD
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A05F6
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A991C
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A8517
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A5D23
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AA146
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A6557
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000644F8
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000609C0
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00062A48
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00069E50
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_0006E590
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00064D70
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000F612F
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000F6B00
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000FED60
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000F7170
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000F9728
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000F9808
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00155C58
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00157FB8
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00152FE4
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00152FE4
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00152FE4
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A90CF NtWriteVirtualMemory,LoadLibraryA,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A7CF3 NtAllocateVirtualMemory,LoadLibraryA,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AAC4D NtProtectVirtualMemory,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A6230 NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A6BD0 NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A63E0 NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A8F10 NtWriteVirtualMemory,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028AA35F NtWriteVirtualMemory,LoadLibraryA,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A8003 NtWriteVirtualMemory,LoadLibraryA,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess Stats: CPU usage > 98%
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061972250.0000000020640000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameSwills.exe4 vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1061316952.000000001F5F7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSwills.exe4 vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmpBinary or memory string: k,\\StringFileInfo\\040904B0\\OriginalFilename vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060812505.000000001E8A3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000003.1004258087.000000000089A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSwills.exe4 vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000003.1004258087.000000000089A000.00000004.00000001.sdmpBinary or memory string: OriginalFilename_.dll4 vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060215267.000000001E3E0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameSwills.exe4 vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060215267.000000001E3E0000.00000004.00020000.sdmpBinary or memory string: OriginalFilename_.dll4 vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060066764.000000001E130000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSwills.exe4 vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exe, 0000000C.00000002.1060066764.000000001E130000.00000004.00000001.sdmpBinary or memory string: OriginalFilename_.dll4 vs o4XzTr73Ut.exe
                        Source: o4XzTr73Ut.exeStatic PE information: invalid certificate
                        Source: o4XzTr73Ut.exeVirustotal: Detection: 7%
                        Source: o4XzTr73Ut.exeReversingLabs: Detection: 23%
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile read: C:\Users\user\Desktop\o4XzTr73Ut.exeJump to behavior
                        Source: o4XzTr73Ut.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                        Source: unknownProcess created: C:\Users\user\Desktop\o4XzTr73Ut.exe "C:\Users\user\Desktop\o4XzTr73Ut.exe"
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess created: C:\Users\user\Desktop\o4XzTr73Ut.exe "C:\Users\user\Desktop\o4XzTr73Ut.exe"
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeProcess created: C:\Users\user\Desktop\o4XzTr73Ut.exe "C:\Users\user\Desktop\o4XzTr73Ut.exe"
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile created: C:\Users\user\AppData\Local\Temp\nsl3A33.tmpJump to behavior
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@0/2
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_004021AA CoCreateInstance,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                        Source: o4XzTr73Ut.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: _.pdb source: o4XzTr73Ut.exe, 0000000C.00000003.1004258087.000000000089A000.00000004.00000001.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060215267.000000001E3E0000.00000004.00020000.sdmp, o4XzTr73Ut.exe, 0000000C.00000002.1060066764.000000001E130000.00000004.00000001.sdmp

                        Data Obfuscation:

                        barindex
                        Yara detected GuLoaderShow sources
                        Source: Yara matchFile source: 0000000C.00000000.841548004.0000000000560000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.843188696.00000000028A0000.00000040.00000001.sdmp, type: MEMORY
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_728930C0 push eax; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A12B9 push ebp; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A8B9A push ecx; retf
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A17BD pushad ; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A1305 push ebp; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A5374 push edx; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A0088 push esp; retn 46BCh
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A3CE4 push esi; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A3C06 push esi; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A0859 pushfd ; iretd
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 0_2_028A996F push ebp; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00062A48 push esp; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_00062261 push ecx; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_0006B530 push esp; iretd
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000FD4D0 push cs; ret
                        Source: C:\Users\user\Desktop\o4XzTr73Ut.exeCode function: 12_2_000FF950 push eax; iretd